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ABSTRACT 


This  thesis  represents  a  contribution  to  the  development  of  practical  computer 
systems  for  Interactive  construction  of  formal  proofs.  Beginning  with  a  summary  of  current 
research  In  automatic  theorem  proving,  goal  oriented  systems,  proof  checking,  and 
program  verification,  this  work  aims  at  bridging  the  gap  between  proof  checking  and 
theorem  proving. 


Specifically,  It  describes  a  system  GOAL  for  the  First  Order  Logic  proof  checker  FOL. 
GOAL  helps  the  user  of  FOL  in  the  creation  of  long  proofs  In  three  ways:  1 )  as  a  facility 
for  structured,  top  down  proof  construction;  2)  as  a  semi-automatic  theorem  prover;  and 
3)  as  an  extensible  environment  for  the  programming  of  theorem  proving  heuristics. 

In  GOAL,  the  user  defines  top  level  goals.  These  are  then  recursively  decomposed 
Into  subgoals.  The  main  part  of  a  goal  Is  a  well  formed  formula  that  one  desires  to  prove, 
but  they  Include  assertions,  simplification  seta,  and  other  Information.  Goals  can  be  tried 
by  three  different  types  of  elements:  matchers,  tactics,  and  strategies. 

The  matchers  attempt  to  prove  a  goal  directly  -that  Is  without  reducing  It  into 
subgoals-  by  calling  decision  procedures  of  FOL.  Successful  application  of  a  matcher 
causes  the  proved  goal  to  be  added  to  the  FOL  proof. 

A  tactic  reduces  a  goal  into  one  or  more  subgoals.  Each  tactic  Is  the  Inverse  of  some 
Inference  rule  of  FOL;  the  goal  structure  records  all  the  necessary  Information  so  that  the 
appropriate  Inference  rule  Is  called  when  all  the  subgoals  of  a  goal  are  proved.  In  this 
way  the  goal  tree  unwinds  automatically,  producing  a  FOL  proof  of  the  top  level  goal  from 
the  proofs  or  Its  leaves. 


The  atratagias  are  programmed  sequences  of  applications  of  tactics  and  matchers. 
They  do  not  interface  with  FOL  directly.  Instead,  they  simulate  a  virtual  user  of  FOL. 
They  can  caN  the  tactics,  matchers,  other  strategies,  or  themselves  recursively.  The 
success  of  this  approach  to  theorem  proving  success  Is  documented  by  one  heuristic 
strategy  that  has  proved  a  number  of  theorems  in  Zermeio-Fraenkel  Axiomatic  Set  Theory. 
Analysis  of  this  strategy  leads  to  a  discussion  of  some  trade  offs  related  to  the  use  of 
eaaert/ona  and  almpHflcatlon  sets  In  goal  oriented  theorem  proving. 

The  user  can  add  new  tactics,  matchers,  and  strategies  to  GOAL.  These  additions 
cause  the  languege  to  be  extended  In  a  uniform  way.  The  description  of  new  strategies 
Is  done  easily,  at  a  fairly  high  level,  and  no  faulty  deduction  Is  possible.  Perhaps  the  main 
contribution  of  GOAL  Is  a  high  level  environment  for  easy  programming  of  new  theorem 
proving  applications  In  the  First  Order  Predicate  Calculus. 

The  thesis  ends  with  two  appendixes  presenting  complete  proofs  of  Ramsey's 
theorem  In  axiomatic  Set  Theory  and  of  the  correctness  of  the  Takeuchi  function. 

(It  Is  planned  that  both  FOL  and  GOAL  will  be  made  available  over  the  ARPANET  this 
year.  Inquiries  regarding  their  use  should  be  addressed  to  Dr.  R.  Weyhrauch  at  the 
Stanford  Artificial  Intelligence  Laboratory,  SU-AI). 

This  thesis  was  submitted  to  the  Department  of  Computer  Science  and  the  Committee  on 
Graduate  Studies  of  Stanford  University  in  partial  fulfillment  of  the  requirements  for  the  degree  of 
Doctor  of  Philosophy. 

T  his  research  was  supported  by  the  Advanced  Research  Projects  Agency  of  the  Department  of 
Defense  under  ARP  A  Order  No.  2494,  Contract  MDA90S-76-C-0206.  The  views  and  conclusions 
contained  in  this  document  ore  those  of  the  authors  and  should  not  be  Interpreted  as  necessarily 
representing  the  official  policies,  either  expressed  or  Implied,  of  Stanford  University,  or  any  agency 
of  the  U.  S.  Government. 
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1.  INTRODUCTION, 


The  research  presented  in  this  doctoral  thesis  is  a  contribution  to  the  development  of 
practical  systems  for  Interactive  construction  of  mathematical  proofs. 

The  availability  of  fully  Interactive  proof  checkers  that  permit  their  users  to  construct 
proofs  Incrementally,  gives  rise  to  an  activity  which  is  best  described  by  the  term  interactive 
proof  construction.  This  name  has  not  yet  found  widespread  usage  in  the  computer  science 
literature;  Instead,  related  research  has  generally  been  classified  into  the  following 
categories:  proof  checking,  automatic  theorem  proving,  and  man-machine  systems  for  these 
tasks.  This  research  is  related  to  but  takes  a  different  approach  from  that  of  previous 
research  in  those  areas. 

Proof  checkers  generally  embody  a  system  of  logic  that  Includes  both  the  recognition  of 
legal  expressions  In  that  logic,  or  well  formed  formulae  (WFFs),  and  Inference  rules  by  which 
new  formulae  are  deduced  from  axioms  and/or  previously  proved  formulae. 

In  an  Interactive  proof  constructor,  the  Inference  rules  are  embodied  In  commands  that  can 
be  called  by  the  user  in  order  to  increment  a  proof;  normally,  one  new  step  of  the  proof  is 
produced  by  every  successful  call  to  an  Inference  command.  This  leads  to  a  bottom  up  mode 
of  proof  construction,  in  contrast  with  the  rather  goal  oriented  thinking  process  of  the  working 
mathematician. 

The  approach  taken  in  this  thesis  is  to  provide  users  of  an  interactive  proof  constructor 
with  a  language  in  which  goals  can  be  stated  and  reduced  recursively  into  sub-goals,  so  that 
the  reduction  rules  correspond  to  the  inference  rules  of  the  proof  constructor.  Thus  the  goal 
commands  are  the  inverse  of  the  inference  commands,  and  the  system  knows  how  to  deduce  a 
goal  from  its  sub-goals.  This  leads  to  a  top  down  mode  of  proof  construction. 

When  an  Interactive  proof  constructor  Is  provided  with  an  equally  interactive  goal 
oriented  command  language,  both  modes  of  proof  construction,  the  Inference  oriented, 
bottom  up  mode  and  the  goal  oriented,  top  down  one,  can  be  combined  to  any  desired  extent 
by  the  user,  according  to  the  particular  problem  and  taste. 

A  novel  approach  to  automatic  theorem  proving  consists  in  replacing  the  human  user  by  a 
heuristic  for  sequencing  the  recursive  application  of  the  goal  oriented  commands  and  of  some 
Inference  commands  that  attempt  to  prove  the  sub-goals  by  using  a  set  of  facts  or  axioms. 
Automatic  proofs  of  a  number  of  theorems,  Including  the  first  33  theorems  in  the  Appendix  on 
Set  Theory  in  [Kelley  1 955],  have  been  obtained  with  one  heuristic  of  this  type. 

When  a  goal  command  language  is  designed  to  allow  for  easy  addition  of  such  theorem 
proving  routines,  it  results  In  a  high  level  programming  environment  for  theorem  proving 
applications.  Users  can  program  their  own  heuristics  to  fit  different  styles  of  proof  and  imbed 
them  into  the  system  without  having  to  modify  its  structure.  This  can  be  done  easily:  the 
algorithms  can  be  described  as  programmed  sequences  of  calls  to  the  reduction  rules  and 
inference  commands,  and  priority  queues  or  any  other  data  structures  can  be  used  to  control 
the  order  in  which  sub-goals  are  tackled.  Thus  users  can  augment  the  power  of  the 
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Interactive  proof  constructor  for  specific  domains  of  their  Interest  by  having  their  own 
libraries  of  heuristics  that  can  be  added  to  the  system  and  called  using  the  already  existing 
high  level  commands  of  the  language. 

The  goal  oriented  command  language  GOAL  for  the  system  FOL,  an  interactive  proof 
constructor  for  the  first  order  predicate  calculus,  is  presented  in  this  thesis.  It  has  been 
programmed  by  the  author  in  LISP,  on  top  of  FOL,  at  the  Stanford  Artificial  Intelligence 
Laboratory  DEC  KL-10  computer  system.  The  user  can  program  new  inference  rules,  new 
subgoaling  commands,  and  new  heuristic  strategies  as  programmed  sequences  of  calls  to  the 
inference  rules  and  subgoaling  commands;  these  are  added  to  the  system  by  calling  a  GOAL 
routine  that  automatically  extends  the  language,  and  its  syntax,  to  incorporate  the  new 
commands,  io  our  knowledge  this  is  the  first  time  that  the  following  wish,  expressed  by 
[Slagle  1076],  is  fulfilled. 


"It  is  an  attractive  idea  to  write  a  program  based  on  mathematical  logic,  since  this  is  a  well- 
formulated  and  well-studied  branch  of  mathematics.  In  addition,  programming  a  computer  is  a  way 
to  study  mathematical  logic.  For  example,  the  programmer  mav  develop  powerful,  natural,  intuitive 
inference  rules  &  which  heuristics  can  fee  added  easily." 


The  Encyclopedia  of  Computer  Science  (page  1419,  my  emphasis). 


1.1.  The  Research  Program. 


The  research  presented  in  this  thesis  bridges  the  gap  between  current  research  in  the 
disciplines  of  automatic  theorem  proving  and  proof  checking.  Indirectly,  it  also  relates  to  some 
research  in  program  verification.  Thus  it  is  part  of  a  collective  endeavor  that  has  a  tradition 
of  at  least  20  years. 

Moreover,  it  is  a  contribution  to  a  collective  effort  by  the  Formal  Reasoning  group  at  the 
Stanford  Artificial  Intelligence  Laboratory  (SAIL),  that  represents  one  current  of  thought  within 
the  other,  larger  research  program.  This  does  not  Imply  that  the  views  expressed  In  this 
thesis  are  held  by  other  members  of  the  Formal  Reasoning  project  or  by  Its  sponsors.  It  does 
imply,  however,  that  this  research  has  been  guided  by  the  author's  views  of  this  collective 
effort. 

Nowadays,  most  researchers  in  the  fields  of  automatic  theorem  proving  and  proof  checking 
would  agree  that  one  of  the  general  long  term  goals  underlying  their  research  is  to  provide 
practical  computer  systems  that  can  be  used  as  a  research  tool  by  working  mathematicians. 
There  are  marked  differences  of  opinion  as  to  how  this  goal  Is  to  be  accomplished.  The 
purpose  of  this  section  is  to  give  a  broad  overview  of  the  main  currents  and  their 
shortcomings,  in  order  to  see  our  contribution  In  its  relationship  to  that  research  tradition. 
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AUTOMATIC  THEOREM  PROVING.  The  general  goal  of  research  in  automatic  theorem 
proving  has  been  to  produce  programs  that  can  prove  mathematical  theorems  automatically 
and  to  find  useful  formalisms,  decision  procedures,  and  heuristics  for  this  purpose.  Some  early 
researchers  thought  that  machines  would  eventually  surpass  humans  In  their  capacity  to  find 
proofs  of  mathematical  theorems.  While  that  assumption  has  not  been  disproved,  progress  has 
been  generally  slow  and  the  realization  of  that  promise  does  not  seem  to  lie  in  the  near  future. 

The  most  successful  general  purpose  algorithm  used  in  automatic  theorem  proving  Is  the 
resolution  principle  by  Robinson  [Robinson  1965].  Many,  if  not  the  majority,  of  the  successful 
theorem  proving  programs  are  based  on  resolution.  Resolution  is  a  semi-decision  procedure 
that  Is  sound  and  complete  tor  the  pure  first  order  predicate  calculus  [Nilsson  1971, 
Luckham  1967,  Lee  1967,  Slagle  1971].  Thus,  while  it  is  theoretically  possible  to  find 
resolution  proofs  of  any  theorem  that  is  provable  within  that  logical  calculus,  in  actual  practice 
only  rather  simple  theorems  have  been  proved  because  the  size  of  the  space  of  possibilities 
that  must  be  searched  by  the  computer  rapidly  explodes  beyond  the  power  of  present  days 
computers  for  more  difficult  theorems. 

The  same  Is  true  of  other  general  purpose  decision  procedures.  Thus  much  research  effort 
Is  invested  Into  finding  heuristic 1  rules  for  pruning  the  search  space.  All  of  the  more 
successful  theorem  proving  programs,  whether  they  are  resolution  based  or  not,  use  heuristics 
for  guiding  their  search  for  a  proof. 

The  problem  with  heuristics  is  that  they  tend  to  be  domain  specific.  Just  as 
mathematicians  develop  competency  in  particular  domains  of  mathematics,  It  lies  in  the  very 
nature  of  heuristics  that  they  gain  power  by  loosing  generality. 

Thus  the  effort  to  increase  the  power  of  theorem  pro  vers  by  incorporation  of  heuristic 
algorithms,  Inevitably  leads  to  more  specialized,  domain  specific  theorem  provers  [Pastre 
1978,  Nevins  1976a,  1975b,  Brown  1977a,  1977b,  1978,  Bledsoe,  Boyer  and  Henneman 
1972,  Goldstein  1973,  Bundy  1973].  Given  the  large  amount  of  work  required  to  program  a 
theorem  prover,  this  is  not  a  desirable  state  of  affairs. 

Because  of  the  specialization  of  theorem  provers,  they  tend  to  incorporate  into  their 
design  the  formalisms  most  suited  for  the  domain  for  which  they  are  intended.  This  forces  the 
user  to  express  his  problems  in  the  formalism  understood  by  the  theorem  prover  and  thereby 
limits  Its  usefulness. 

PROOF  CHECKING.  The  recognition  that  the  correctness  of  proof  In  a  logical  formalism  can 
be  mechanically  verified  is  much  older  than  the  computer.  However,  research  into  practical 
computer  programs  for  this  purpose  came  only  after  the  initial  optimism  regarding  the 
possibilities  of  automatic  theorem  provers  had  been  tempered  [McCarthy  1962,  1966, 
Abrahams  1963,  Bledsoe  and  Gilbert  1967]. 

A  proof  checker  Is  a  program  that  incorporates  the  rules  of  a  logical  calculus  so  that  It  can 
verify  that  a  proof  is  actually  correct  according  to  that  calculus.  For  this,  It  needs  to 
recognize  the  different  objects  of  the  calculus  and  to  be  able  to  perform  Its  various  inference 
rules. 


1  Hourlttlo  aid  to  dl»cov«ry. 
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A  proof  checker  is  as  general  as  the  logical  formalism  it  embodies.  Some  logical  formalisms 
are  so  general  that  practically  every  domain  of  mathematics  can  be  expressed  in  it.  Thus 
proof  checkers  offer  the  possibility  of  verifying  any  formal  proof. 

Among  the  most  general  and  successful  proof  checkers  we  find  AUTOMATH  [Oe  Bruijn 
1974],  EXCHECK  [Smith  and  Blaine  1976],  and  FOL  [Weyhrauch  1977]. 

FOL  Is  based  on  the  well  known  first  order  predicate  calculus  [Mendelson  1964],  and  it 
will  be  discussed  extensively  in  this  thesis. 

Automath  is  based  on  a  new  formal  language  developed  by  the  leader  of  the  Automath 
project,  N.  G.  de  Bruijn.  The  Automath  language  [Oe  Bruijn  1970,  1971]  Is  radically  different 
from  the  first  order  predicate  calculus.  It  was  conceived  as  a  universal  language  for  writing 
mathematical  books  in  a  way  that  they  can  be  proof-checked  by  machine,  and  it  seems  to  be 
as  powerful  as  first  order  predicate  calculus  but  it  is  much  less  well  known  to  the 
mathematical  community.  The  largest  proof  checking  project  realized  in  Automath  [Jutting 
1977]  is  of  a  size  and  scope  comparable  to  the  projects  undertaken  in  FOL,  like  the 
construction  of  a  proof  for  Ramsey's  theorem  by  this  author  [Weyhrauch  et  al.  1979].  Unlike 
FOL,  the  Automath  proof  checker  is  not  interactive. 

EXCHECK  is  an  interactive  proof  checker  for  first  order  logic  like  FOL,  conceived 
especially  for  mathematics  instruction  at  the  undergraduate  level.  It  has  been  programmed  by 
a  group  at  the  Institute  for  Mathematical  Studies  in  the  Social  Sciences,  and  Is  currently  used 
for  teaching  purposes  at  Stanford  University  [Suppes  1975]. 

Less  general  than  FOL,  but  oriented  by  the  same  spirit  towards  Interactive  construction  of 
proofs,  are  the  LCF  proof  checkers  [Milner  1972b,  Gordon,  Milner  and  Wadsworth  1977]. 
They  are  based  on  a  formalism  suited  for  verification  of  correctness  of  computer  programs. 

The  main  shortcoming  of  present  day  proof  checkers  is  that  the  logical  deduction  steps 
they  can  check  are  too  atomic,  that  is  too  small,  as  compared  with  the  way  humans  reason. 
Formalizing  proofs  in  a  formalism  like  first  order  predicate  calculus,  or  in  the  Automath 
language,  is  a  tedious  exercise  comparable  to  programming  a  computer  in  assembly  language2. 
This  is  the  reason  why  [Jutting  1977,  Weyhrauch  et  al.  1979]  are  probably  the  largest 
projects  ever  carried  out  on  a  proof  checker. 

in  actual  practice  mathematicians  do  not  attempt  to  produce  formal  proofs  in  a  logical 
formalism.  Their  proofs  are  arguments  whose  validity  is  checked  by  other  members  of  the 
mathematical  community;  their  standards  of  rigor  are  based  on  a  living  tradition  and  have  not 
been  explicitly  laid  down.  For  almost  ail  current  mathematical  theories,  it  is  known  that  the 
proofs  given  by  mathematicians  can  be  reduced  to  fully  formalized  proofs  in  the  first  order 
predicate  calculus  [Shoenfield  1967],  and  some  mathematicians  have  a  fairly  clear  idea  as  to 
how  to  do  this,  but  they  would  almost  never  bother  to  carry  out  this  reduction  because  fully 
formalized  proofs  are  very  long  and  tedious. 

In  order  for  proof  checkers  to  become  valuable  tools  in  mathematical  practice,  it  will  be 
necessary  to  either  develop  more  powerful  logical  formalisms  or  to  provide  proof  checkers 


2  it  |«  in  (act  much  more  difficult  than  aaaembly  language  programming. 
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with  the  ability  to  fill  In  many  of  the  details  of  a  proof.  The  later  approach  will  be  investigated 
in  this  thesis. 

INTERACTIVE  SYSTEMS.  There  are  Interactive  theorem  provers  [Allen  and  Luckham 
1970,  Morales  1973,  Bledsoe  and  Bruell  1974]  and  interactive  proof  checkers  [Weyhrauch 
1977,  Milner  1972b,  Gordon,  Milner  and  Wadsworth  1977].  An  interactive  theorem  prover 
attempts  to  remedy  the  limitations  of  theorem  provers  by  providing  the  possibility  of  human 
guidance  of  the  search  for  a  proof.  Interactive  proof  checkers  construct  the  proof  in  an  on¬ 
line  conversational  process  with  the  user;  this  kind  of  system  we  shall  call  interactive  proof 
constructors. 

There  is  no  clearly  defined  boundary  between  interactive  theorem  provers  and  proof 
constructors.  The  distinction  rather  rests  on  the  approach  that  guided  the  development  of  the 
system,  so  that  some  systems  have  more  of  the  flavor  of  theorem  provers  and  others  that  of 
proof  checkers.  Thus  an  interactive  theorem  prover  can  become  a  tool  tor  interactive 
generation  of  proofs  [Bledsoe  and  Bruell  1974]. 

On  the  other  side,  the  power  of  an  interactive  proof  checker  can  be  expanded  by  the 
inclusion  of  theorem  proving  facilities;  this  thesis  develops  a  methodology  for  this. 

GOAL  ORIENTED  SYSTEMS.  A  formal  proof  of  a  theorem  starts  with  the  axioms  and 
consists  of  a  series  of  logical  deductions  which  leads  from  those  axioms  to  the  theorem.  Thus 
It  has  a  bottom  up  structure.  It  Is  the  task  of  mathematicians  to  discover  new  theorems  they 
believe  to  be  true  and  to  prove  their  validity  by  giving  proofs  of  them.  Thus  it  is  always  the 
case  in  mathematical  practice  that  the  apparently  bottom  up  line  of  reasoning  of  the  proof  has 
been  constructed  a  posteriori  to  the  discovery  of  the  fact  it  proves,  and  that  its  construction 
has  been  guided  by  this  fact. 

Several  researchers,  coming  from  the  theorem  proving  side,  have  developed  goal  oriented 
reduction  rules  to  guide  theorem  provers  towards  the  theorem  [Bledsoe  1971,  Nevins  1974, 
1976b,  Ernst  1971,  Brown  1977a,  1978].  Similar  reduction  rules  can  be  incorporated  into 
an  Interactive  proof  checker.  This  has  been  done  first  in  the  earlier  LCF  proof  checker  at 
Stanford  [Milner  1972b],  and  then  independently  improved,  along  different  lines,  by  the 
Edinburgh  group  [Gordon,  Milner  and  Wadsworth  1977]  and  by  us. 

PROGRAM  VERIFICATION.  Research  in  program  verification  is  related  to  proof  checking 
because  both  problems  are  similar  in  nature.  Researchers  in  this  field  look  for  formalisms  in 
^  the  conditions  of  correctness  of  a  program  can  be  formally  stated,  and  develop 
pi  is  that  can  check  the  proofs  of  correctness  in  those  formalisms.  They  hope  that 
prog.  that  verify  the  correctness  of  programs  will  become  a  practical  tool  in  software 
develop.  nt. 

Thus  -ie  of  the  motivations  for  research  in  proof  checking  is  that  advances  in  this  field 
are  likely  •»  serve  the  more  practical  field  of  program  verification,  in  two  ways;  because 
practical  coi,  outer  systems  for  both  tasks  are  likely  to  be  similar,  and  also  because  the 
conditions  of  correctness  of  a  program  can  be  formalized  In  a  logical  language  like  the  first 
order  predicate  calculus  [McCarthy  1963,  1966,  1977,  McCarthy  and  Painter  1967, 
Cartwright  and  McCarthy  1979,  Milner  and  Weyhrauch  1972a,  1972b,  Weyhrauch  1976, 
Weyhrauch  et  al.  1979,  Cartwright  1976,  Wagner  1977],  thus  reducing  one  problem  to  the 
other. 
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INTERACTIVE  PROOF  CONSTRUCTION.  The  availability  of  the  FOL  system  has  spurred 
research  in  interactive  construction  of  proofs  of  non-trivial  theorems  in  various  fields  of 
mathematics  [Weyhrauch  et  al.  1979].  Before  starting  work  on  the  GOAL  language 
described  in  this  thesis,  the  author  constructed  a  proof  of  Ramsey's  theorem  In  600  steps, 
and  proofs  of  the  first  98  theorems  in  [Kelley  19S5]  totalling  2000  steps.  The  complete 
proofs  are  presented  in  [Weyhrauch  et  al.  1979].  Because  of  the  generality  of  first  order 
predicate  calculus  as  a  means  for  the  formali2ation  of  reasoning,  the  availability  of  FOL  has 
also  originated  research  into  the  axiomatization  of  several  domains  in  this  calculus  [McCarthy, 
Sato,  Hayashi  and  Igarashi  1978,  McCarthy  1977,  1979]. 

To  our  knowledge,  the  only  Interactive  proof  constructor  comparable  to  FOL  is  the  recently 
developed  LCF  proof  checker  at  the  University  of  Edinburgh  [Gordon,  Milner  and  Wadsworth 
1977].  Based  on  a  formalism  oriented  towards  program  verification  [Scott  1969,  Scott  and 
Strachey  1972],  it  is  less  general  than  FOL  but  it  shares  much  of  the  same  spirit. 

We  do  not  know  of  any  large  size  proofs  produced  with  the  LCF  system,  but  we  have 
recently  learned  that  they  have  developed  a  user  oriented  metalanguage  ML  for  programming 
proof  strategies  [Gordon,  Milner,  Morris,  Newey  and  Wadsworth  1978].  Our  language  has 
been  developed  independently,  is  quite  different  from  theirs,  and  it  appears  to  be  an  equally 
flexible  tool  for  programming  user  designed  strategies,  except  for  the  fact  that  this  can  be 
done  using  high  level  commands  in  ML  but,  for  the  time  being,  only  at  the  LISP  level  in  GOAL. 

Because  of  the  greater  generality  of  FOL,  theories  described  in  LCF  can  be  axiomatized 
and  dealt  with  in  FOL,  while  the  converse  is  not  always  true.  Also  because  of  the  flexibility 
and  extensibility  of  GOAL,  we  can  program  in  GOAL  any  tactics  or  strategies  one  can  do  in 
LCF.  Thus,  If  one  wishes  to  use  FOL  for  some  domain  of  knowledge  for  which  LCF  appears  to 
be  initially  better  suited,  for  instance  proving  assertions  about  recursive  programs,  one  has 
first  to  find  a  suitable  axiomatization  in  first  order  logic  for  that  domain  of  knowledge 
[McCarthy  1977],  and  then  one  can  program  strategies  that  simulate  the  LCF  deduction  rules 
in  that  axiomatization.  Doing  so,  one  would  have  a  system  where  there  is  one  GOAL  command 
for  each  deduction  rule  of  LCF,  and  one  can  still  chain  these  into  more  complex  strategies, 
thereby  achieving  the  same  effects  as  in  the  LCF  metalanguage. 


1.2.  Aims  and  scope  of  this  thesis. 


The  research  of  the  Formal  Reasoning  group  at  the  Stanford  Artificial  Intelligence 
Laboratory  is  centered  on  the  concept  of  interactive  construction  of  checked  proofs  and  is 
presently  committed  to  the  first  order  predicate  calculus  as  an  universal  language  for 
expressing  mathematical  reasoning.  The  principal  computer  system  used  by  this  group  is  an 
interactive  proof  checker  for  this  calculus,  FOL  [Weyhrauch  1977,  1978a],  developed  and 
Implemented  mainly  by  Richard  Weyhrauch.  FOL  is  based  on  Gentzen  type  deduction  rules 
[Gentzen  1936,  Prawitz  1965].  In  a  later  section,  It  will  be  described  to  the  extent 
necessary  for  an  understanding  of  this  thesis.  The  research  presented  here  depends  on  the 
availability  of  an  Interactive  proof  constructor.  Thus  we  take  FOL  for  granted  and  we  shall 
not  discuss  the  choice  of  the  first  order  predicate  calculus. 
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This  doctoral  thesis  presents  a  GOAL  ORIENTED  COMMAND  LANGUAGE,  GOAL,  for  FOL, 
that  has  been  developed  and  programmed  by  the  author.  To  my  knowledge,  this  is  the  first 
attempt  to  implement  a  fac"!ty  of  this  type  in  an  environment  as  general  as  FOL.  GOAL  has 
benefited  from  some  ideas  implemented  by  Weyhrauch  and  Milner  In  a  goal  command  language 
for  the  early  version  of  LCF  [Milner  1972b,  1972a],  an  interactive  proof  checker  for  Scott's 
Logic  of  Computable  Functions  [Scott  1969,  Milner  1973],  that  was  a  forerunner  of  FOL  at 
the  Stanford  Artificial  Intelligence  Laboratory. 

The  main  goal  of  this  work  has  been  to  facilitate  interactive  construction  of  proofs  by 
providing  a  facility  to  work  in  a  top  down  manner,  that  is  to  work  backwards  from  the  goal  (a 
well  formed  formula)  towards  the  simpler  subgoals,  iterating  this  process  until  a  set  of 
formulae  Is  obtained  that  can  be  proved  more  easily.  When  these  are  proved,  the  GOAL 
system  produces  the  proof  of  the  goal  from  those  formulae.  It  does  so  by  calling  the  very  FOL 
deduction  rules  that,  if  they  had  been  called  by  the  user,  would  produce  the  same  proof,  and 
the  proofs  steps  generated  by  GOAL  are  indistinguishable  from  those  generated  using  the 
forward  proving  commands  of  FOL.  We  have  strived  to  keep  our  system  consistent  with  FOL 
in  the  sense  just  explained. 

In  FOL,  proofs  are  constructed  bottom  up,  that  is  from  the  simpler  facts  towards  the  goal 
which  exists  in  the  mind  of  the  user.  FOL  offers  a  number  of  inference  rules  and  decision 
procedures  to  carry  out  this  task.  Each  Inference  command  or  decision  procedure  produces  a 
new  line  of  the  proof,  based  on  axioms  and/or  previous  lines  that  must  be  explicitly  referred 
to  by  the  user. 

The  commands  available  in  GOAL  for  carrying  out  the  reduction  of  a  goal  to  simpler 
subgoals  are  the  inverses  of  FOL  commands,  and  the  GOAL  commands  available  for  matching 
(i.e.,  directly  proving)  goals  use  the  decision  procedures  available  In  FOL. 

Another  aim  of  this  work  has  been  to  provide  the  user  of  FOL  with  facilities  for  automatic 
generation  of  proofs  of  simple  lemmas,  so  as  to  drastically  reduce  the  amount  of  work 
necessary  for  Interactive  proof  construction.  This  aspect  takes  us  into  the  realm  of  automatic 
theorem  proving,  and  some  of  the  ideas  are  novel. 

Independently,  [Bledsoe  1971,  Brown  1977a,  Pastre  1978]  have  used  the  idea  of 
subgoaling  in  theorem  proving,  and  Bledsoe's  group  has  developed  and  interactive  theorem 
proving  system.  All  these  researchers  Irve  been  concerned  with  theorem  proving  rather  than 
proof  checking. 

The  automatic  theorem  proving  routines  presented  here  are  subordinated  to  the  structure 
of  FOL  and  GOAL.  They  operate  strictly  by  calling  the  simpler  reduction  rules  of  GOAL  and  the 
decision  procedures  available  in  FOL.  Thus  they  are  heuristics  for  sequencing  the  commands 
available  to  the  user,  who  could  himself  call  the  same  sequence.  It  seems  to  be  the  first  time 
that  theorem  proving  Is  tackled  from  this  angle,  at  least  in  a  first  order  logic  environment,  and 
we  understand  this  to  be  the  sense  of  the  desire  shown  in  the  quote  from  [Slagle  1876],  in 
the  introduction  to  this  document. 

Furthermore,  GOAL  has  been  designed  so  as  to  allow  for  easy  addition  of  new  reduction 
rules  and  new  theorem  proving  facilities.  These  can  be  programmed  by  the  user,  and 
Incorporated  Into  GOAL  by  passing  their  names  to  a  routine  that  "introduces"  them  to  the 
GOAL  environment,  after  which  they  can  be  called  using  the  GOAL  syntax. 
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In  this  way,  GOAL  becomes  something  like  a  programming  language  for  automatic  theorem 
proving.  A  user  working  on  a  particular  domain  of  mathematical  knowledge  may  observe  his  own 
behavior  and  identify  the  strategies  that  appear  to  be  most  fruitful  in  that  particular  domain, 
and  may  wish  to  program  those  strategies  into  GOAL. 

The  idea  of  a  user  oriented  programming  language  for  theorem  proving  applications  has 
been  developed  independently  by  the  Edinburgh  group  [Gordon,  Milner,  Morris,  Newey  and 
Wadsworth  1978],  and  is  otherwise  new.  It  has  not  been  implemented  at  a  sufficiently  high 
level  in  the  present  version  of  GOAL,  in  the  sense  that  the  user  who  wishes  to  add  new 
strategies  will  still  have  to  understand  some  aspects  of  the  GOAL  code,  and  that  for  the  time 
being  these  additions  have  to  be  programmed  at  the  LISP  level.  But,  once  a  certain  familiarity 
with  the  code  has  been  attained,  powerful  new  strategies  can  be  programmed  in  a  few  hours 
and  simple  ones  in  less  than  one  hour.  For  future  work  in  an  interactive  proof  construction 
environment,  we  envision  researchers  having  shared  libraries  of  theorem  proving  strategies, 
documented  as  to  the  nature  of  applications  for  which  they  are  most  useful. 

While  it  was  in  the  initial  conception  of  the  GOAL  language  that  it  should  allow  for  easy 
extension  by  the  user,  it  was  only  after  experimentation  with  this  system  that  I  realized  the 
practicability  of  a  higher  level  programming  language  for  user  designed  strategies  in  a  first 
order  logic  proof  construction  environment.  In  the  environment  of  FOL  and  GOAL,  a  translator 
for  such  a  language  can  be  implemented  fairly  straightforwardly. 

The  results  obtained  with  this  approach  to  theorem  proving  are  encouraging.  We  present 
here  a  strategy,  LOGIC,  that  has  proved  a  number  of  theorems  In  Set  Theory,  including  the 
first  33  theorems  in  the  Appendix  In  [Kelley  1955],  fully  automatically.  More  important  is  the 
fact  that  In  most  cases  failure  of  this  routine  does  not  mean  complete  failure;  It  rather  means 
that  it  carried  out  much  of  the  work  and  it  did  not  know  how  to  prove  one  or  more  of  the 
subgoais  it  generated.  The  user  can  then  either  proceed  towards  those  unproved  subgoals  or 
cancel  some  branches  of  the  goal  structure  that  was  generated  and  retry  those  goals. 

Thus  the  GOAL  language  permits  the  FOL  user  to  arbitrarily  blend  different  styles  of  proof; 
the  deduction  oriented,  bottom  up  style;  the  goal  oriented,  top  down  style;  and  the  automatic 
theorem  proving  one. 

An  important  building  block  of  LOGIC  is  the  FOL  command  for  syntactic  simplification. 
Syntactic  simplification  consists  in  recursively  rewriting  a  formula  by  left  to  right  replacements 
by  a  user  specified  set  of  equalities  and  equivalences.  This  idea  is  also  found  In  Bledsoe 
[Bledsoe  1971]  and  In  the  LCF  proof  checker.  It  was  first  implemented  in  FOL  by  the  author, 
then  the  code  was  improved  by  Andrew  M.  Robinson  in  order  to  deal  with  sorted  variables. 
The  FOL  implementation  of  syntactic  simplification  allows  for  creation  and  naming  of  arbitrarily 
many  user  defined  simplification  sets.  In  GOAL  some  simplification  sets  are  automatically 
created,  used  and  expanded  down  the  nodes  of  the  goal  tree.  In  axiomatic  Set  Theory, 
syntactic  simplification  turns  out  to  be  a  very  fruitful  tactic. 

The  Idea  of  syntactic  simplification  has  already  been  recognized  by  several  researchers 
as  a  powerful  aid  in  theorem  proving,  in  the  theorem  provers  of  [Bledsoe  1971,  Pastre  1978, 
Brown  1977a,  1978],  we  find  that  one  fixed,  though  perhaps  extensible,  set  of  reduction 
rules  Is  presented  as  a  knowledge  base  of  the  theorem  prover.  The  knowledge  bases  thus 
presented  are  domain  specific,  often  fairly  large,  and  the;'  substantially  contribute  to  the 
power  of  those  theorem  provers. 
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We  have  found  that  the  use  of  automatic  simplification  in  theorem  proving  Is  not  without 
problems.  Sometimes  it  Is  crucial  that  the  formulae  are  simplified  early,  at  other  times  one 
wishes  to  postpone  simplification.  In  FOL,  one  can  have  as  many  different,  user  designed 
simplification  sets  as  one  wishes,  and  one  can  add  or  subtract  knowledge  to  them  at  any  time. 
They  can  be  referred  to  by  names.  In  this,  FOL  is  like  the  LCF  proof  checkers  [Milner  1972b, 
Gordon,  Milner  and  Wadsworth  1977], 

In  GOAL,  the  user  has  control  over  when  simplification  is  effected,  and  we  have  strived  to 
give  him  a  fair  amount  of  control  over  what  goes  into  the  simplification  sets  (or,  shortly, 
slmpsets)  that  are  automatically  created  by  the  GOAL  system.  In  any  case,  these 
automatically  created  slmpsets  are  not  used  unless  the  user,  or  a  strategy,  requests  it.  In 
this,  GOAL  is  unlike  the  goal  language  of  the  LCF  proof  checker,  in  which  simplification  Is  often 
done  automatically,  as  a  standarized  proof  mechanism,  upon  creation  of  subgoals3 4 *. 

Conditional  simplification  has  been  implemented  in  GOAL,  in  a  way  that  is  quite  different 
from  conditional  simplification  in  the  Edinburgh  LCF  system,  in  that  system,  conditional 
simplification  means  that  the  system  will  not  simplify  against  certain  equivalence  or  equality 
rules  if  there  are  certain  variables  and  type  variables  that  are  shared  between  these  rules 
and  the  hypotheses  on  which  they  depend.  The  details  of  this,  as  described  in  [Gordon, 
Milner  and  Wadsworth  1977]  seem  to  be  relevant  only  for  an  environment  based  on  Scott's 
logic,  but  not  for  a  first  order  logic  environment.  Also  because  the  large  amount  of  user  control 
over  the  creation  and  use  of  simplification  sets  in  GOAL,  we  have  never  encountered  problems 
that  would  make  that  kind  of  conditional  simplification  necessary. 

Our  version  of  conditional  simplification  has  been  implemented  only  In  the  context  of 
automatic  theorem  proving  strategies,  and  it  consists  in  the  following:  when  a  WFF  is  being 
simplified,  simplification  of  those  sub-expressions  (sub-lVFfs)  that  are  potentially  unlflable* 
against  I /Ls  In  the  list  of  facts  not  included  in  the  simplification  set  will  be  inhibited. 

In  other  words,  while  in  the  LCF  system  conditional  simplification  means  that  certain  rules 
will  be  inhibited,  we  have  found  this  unnecessary,  and  instead  we  inhibit  simplification  of 
certain  parts  of  the  wff  being  simplified,  while  leaving  all  of  the  rules  active  (notice  that  the 
part  that  is  being  inhibited  might  have  been  simplified  not  as  a  whole,  but  some  part  of  it 
might  have  been  simplified  by  some  rule  in  the  simplification  set;  our  version  of  conditional 
simplification  will  Inhibit  rewriting  of  any  subparts  of  the  inhibited  part,  but  the  rules  that  could 
have  acted  on  it  will  still  be  active  in  the  rest  of  the  WFF6. 


3  While  this  It  trua  tor  the  early  LCF  proof  checker  developed  at  Stanford,  the  manual  for  Edinburgh  LCF  aaya  little  about  the 
goal  atruetura  and  simplification,  except  that  "the  basic  outline  (of  simplification)  remain*  at  In  tha  original  Stanford  LCF  ayatam* 
and  that  It  la  "tha  only  atandarlaad  element  of  automatic  proof  in  the  system”  (page  A-39). 

4  Becauee  they  have  tha  aama  structure,  In  tha  aenaa  deacribed  In  the  section*  on  UNIFY  In  this  document. 

6  See  tha  PAIR  example  pretented  In  thla  document. 
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1.0.  Overview  of  the  Goal  Command  Language. 


GOAL  consists  of  a  tree  like  data  structure  catted  the  goal  structure,  and  of  a  set  of 
commands  that  operate  on  that  structure.  Each  node  of  the  goal  structure  Is  a  goal.  At  the  top 
level,  the  user  creates  a  goal  by  specifying  a  WFF  to  be  proved  and,  optionally,  a  set  of  facts 
or  assertions :  axioms,  previously  proved  lemmas,  or  WFFs  to  be  assumed.  This  will  become 
clearer  in  chapter  3. 

From  a  functional  point  of  view,  there  are  three  main  types  of  commands:  tactics,  matchers, 
and  strategies. 

The  tactics  are  commands  that  reduce  a  goal  into  subgoals  (the  term  goal  refers  both  to 
goals  created  by  the  user  and  to  subgoals  created  by  tactics).  The  matchers  attempt  to  prove 
a  goal  directly;  they  either  succeed  or  fall,  but  they  do  not  attempt  to  reduce  the  goal  into 
subgoals.  The  strategies  are  programmed  sequences  of  applications  of  tactics  and  matchers. 
With  few  exceptions,  the  subgoals  created  by  tactics  are  necessary  and  sufficient  conditions 
for  the  goal  to  be  true.  Thus  the  goal  trees  are  and-trees.  We  have  not  attempted  to  deal 
with  or-trees,  although  this  can  be  done  without  major  modifications  to  the  goal  structure.  Our 
reason  for  excluding  or-trees  is  that  they  would  drastically  Increase  the  search  space, 
specially  in  the  context  of  the  strategies  for  automatic  theorem  proving.  Where  the  user  is 
controlling  the  expansion  of  the  goal  tree,  that  is  by  using  the  tactics  Interactively  rather  that 
using  powerful  search  strategies,  or-trees  are  probably  an  unnecessary  waste  of  storage 
space. 

The  reduction  rules  incorporated  in  the  tactics  of  GOAL  are  similar  to  those  In  [Bledsoe 
1971,  Brown  1977a,  1978,  Pastre  1978].  These  researchers  used  reductions  of  goals  Into 
subgoals  as  a  tool  in  theorem  proving.  The  most  complete  theoretical  description  of  subgoaling 
Is  that  of  [Brown  1977a,  1978].  He  views  a  goal  as  a  collection  of  assertions  plus  a 
collection  of  WFFs  to  be  proved  from  those  assertions,  and  presents  a  set  of  reduction  rules 
more  complete  than  the  other  two  researchers  above.  Almost  ail  of  these  rules  are  present  in 
our  system,  though  sometimes  in  a  different  form.  The  main  exception  is  his  rule  of 
skolemization  on  assertions,  in  which  an  existentially  quantified  variable  of  an  assertion  is 
Instantiated  to  a  Skotem  function;  this  rule  is  not  present  in  our  system  In  all  generality,  and 
the  UNIFY  mechanism  of  FOL  only  partly  makes  up  for  its  absence. 

In  order  to  do  successful  theorem  proving,  it  Is  as  important  to  operate  on  the  facts  as  it  is 
to  operate  on  the  goals.  From  a  theoretical  point  of  view,  goats  ought  to  be  viewed  as  a 
collection  of  both  a  WFF  and  a  set  of  facts,  and  the  reduction  rules  ought  to  be  described  as 
operations  on  these  collections,  as  in  [Brown  1977a,  1978].  In  our  system,  there  is  a 
mechanism  of  goal  preparation  that  does  some  of  the  work  on  the  facts,  or  assertions,  of 
goals,  and  some  of  the  tactics  operate  on  facts.  It  must  be  admitted,  however,  that  the 
treatment  of  assertions  In  GOAL  lacks  uniformity  with  respect  to  that  of  the  WFFs  of  goals, 
and  that  this  Is  a  weakness  from  the  point  of  view  of  theorem  proving.  On  the  other  hand,  our 
principal  aim  was  to  make  an  interactive  goal  command  language  for  FOL,  rather  than  to  make 
a  successful  theorem  prover.  The  problems  encountered  with  the  treatment  of  facts  will  be 
considered  In  more  detail  in  the  sections  that  deal  with  automatic  theorem  proving  strategies 
in  GOAL. 
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2.  THE  POL  SYSTEM. 


2.1.  Brief  description. 


This  section  gives  s  brief  description  of  POL,  intended  to  help  those  readers  that  do  not 
have  the  POL  manual  [Weyhrauch  1077]  at  hand.  A  description  of  the  more  esoteric  aspects 
of  POL,  that  do  not  concern  us  here,  will  be  available  shortly  [Weyhrauch  1 978a]. 

FOL  is  an  interactive  proof  constructor  based  In  the  first  order  predicate  calculus.  Its 
deduction  rules  are  of  the  Gentzen  type.  It  has  declarative  commands,  deduction  commands, 
and  decision  procedures. 

The  declarative  commands  serve  to  give  names  to  variables,  constants,  predicate  and 
function  symbols,  and  to  introduce  axioms.  Thus  various  theories  can  be  defined. 

The  deduction  commands  and  the  decision  procedures  serve  to  create  new  lines  of  the 
proof.  An  axiom  or  a  line  of  the  proof  will  be  called  a  VL.1  VLs  have  the  following  parts:  a  line 
number,  or  in.  the  case  of  an  axiom  a  name;  a  well  formed  formula  (WFP)2;  a  list  of 
dependencies;  and  a  reason  that  tells  how  the  VL  was  obtained.  These  parts  will  be  explained 
in  the  sequel. 


ASSUMPTIONS.  A  line  can  be  assumed,  using  the  assume  command.  An  assumed  line 
depends  on  itself,  and  any  VL  that  depend  on  an  assumed  line  carries  with  it  the  dependency 
on  that  assumption.  Thus  POL  keeps  track  of  dependencies. 


DEDUCTION  RULES.  Dependencies  on  assumptions  can  be  discharged  using  the  deduction 
command,  also  called  Implication  Introduction :  If  a  WFF  B  has  been  proved  using  an 
assumption  A,  then  one  can  deduce  the  WFF  A=B  which  does  not  depend  on  A  any  more. 


EXISTENTIAL  RULES.  If  the  main  quantifier  of  a  VL  is  the  existential  symbol  3,  a  name  can 
be  assumed  for  the  quantified  variable;  this  is  the  rule  of  existential  specialization  or 
elimination.  A  new  VL  Is  generated  in  which  the  assumed  name  appears  In  place  of  the 
quantified  variable.  This  VL  carries  a  dependency  on  itself  because  of  the  assumed  name,  but 
this  dependency  cannot  be  discharged  by  the  deduction  command.  If  the  assumed  name 
disappears  from  (or  Is  not  free  in)  the  WFF  of  a  VL  that  has  been  proved  with  help  of  VLs  that 


1  The  word  “VI*  will  be  u*#d  extensively  In  thl*  document,  It  can  be  thought  of  •*  a  line  of  the  proof,  l.e.  an  already  proved  or 
aaaunted  fact,  If  one  beara  In  mind  that  axiom*  are  to  be  aubsumed  In  thl*  concept.  In  FOL  there  are  no  predeclared  axiom*, 
except  for  the  rule*  of  the  logic.  Thu*  all  axiom*  are  entered  by  the  u*er. 

2  By  an  ibvt  do  /engage  we  will  aometlme*  u*e  the  word  VL  to  refer  to  the  WFF  of  a  VL.  The  concept  of  VL  I*  unnecessary  In 
mathematical  logic,  where  a  VL  I*  simply  a  proved  WFF,  but  It  become*  nece***ry  to  Introduce  this  concept  when  talking  about 
the  machine  Implementation  of  FOL. 
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depended  on  that  assumed  name,  the  dependency  on  the  VL  where  the  name  was  introduced 
will  disappear.  However,  there  are  some  exceptions  to  the  last  statement:  for  instance,  if  the 
same  name  was  assumed  for  two  different  existential  eliminations,  and  if  a  VL  is  generated 
that  depends  on  both  eliminations,  then  these  dependencies  will  not  disappear  even  when  the 
assumed  name  is  not  present  any  more. 

Conversely  to  the  rule  of  existential  specialization,  there  is  one  for  existential 
generalization :  any  subset  of  the  occurrences  of  a  term  In  the  WFF  of  a  VL  can  be 
generalized  to  an  existentially  quantified  variable. 


UNIVERSAL  RULES.  If  the  main  quantifier  of  the  WFF  of  a  VL  is  V,  the  quantified  variable 
can  be  specialized  to  any  term,  thereby  eliminating  the  leading  quantifier.  Conversely,  a  free 
variable  can  be  generalized  by  introduction  of  the  universal  quantifier  V,  provided  the  variable 
is  not  free  in  any  axiom  or  in  any  VL  upon  which  that  one  Is  dependent. 


AND/OR  RULES.  From  two  VLs  stating  A  and  8,  respectively,  a  new  VL  stating  AaB  can  be 
obtained;  conversely,  from  A/nB  either  A  or  B  can  be  obtained.  From  a  VL  A  and  for  an 
arbitrary  WFF  C,  either  AvC  or  CvA  can  be  obtained. 


REWRITE.  The  rewrite  command  effects  syntactic  simplification  by  a  set  of  equivalences 
and/or  equalities;  such  sets  are  called  simpsets.  Any  occurrences  of  the  left  hand  side  of 
these  equivalences  or  equalities  are  replaced  by  the  corresponding  right  hand  sides,  until  the 
process  cannot  be  further  iterated.  When  a  VL  is  given  to  the  rewrite  command,  an  equivalent 
VL  is  produced  and  added  to  the  proof.  When  a  WFF  is  given,  if  It  rewrites  to  TRUE  this  WFF  is 
added  to  the  proof  as  a  new  VL;  if  it  rewrites  to  a  different  equivalent  WFF,  a  new  VL  stating 
this  equivalence  is  generated.  When  a  term  is  given  and  it  rewrites  to  a  syntactically 
different  term,  the  equality  of  the  two  expressions  is  stated  In  a  new  VL. 

Simpsets  are  defined  by  specifying  a  set  of  axioms  and/or  VLs.  When  new  VLs  are 
obtained  by  the  rewrite  command,  the  simpset  is  part  of  the  reason  of  the  new  VL,  which 
depends  on  any  VLs  of  the  simpset  that  were  actually  used  In  the  simplification  process.  That 
Is,  the  rewrite  command  is  smart  enough  so  it  does  not  make  the  new  VL  depend  on  the 
dependencies  of  all  the  VLs  in  the  simpset,  but  only  on  those  that  were  applied  as  rewrite 
rules  in  that  particular  call  to  the  command.  Rewrite,  simplification  sets,  and  match  trees3  are 
explained  In  pages  49  through  65  of  the  FOL  manual  [Weyhrauch  1977].  The  rewrite 
command  obeys  the  following  syntax. 


3  Simplification  mU  ara  rapratantad  Intamtlly  by  LISP  objaeU  called  mttch  tr—t.  But  ■  uaar  can  think  of  tho  two  word* 
tlmpttt  and  mttch  tree,  at  tynonymt.  What  It  Important,  from  tha  utar'a  point  of  vlaw,  It  that  aota  of  rowrito  Mat  can  bo 
ttorod  and  roforrod  to  by  a  Idtntlfltrt.  Thata  Mantlflart  mutt  ba  daclartd  to  ba  of  typo  tlmptat. 
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8yntaxi 

REWRITE  ALT[  <WFF>  |  <Vt>  ]  BY  <simpsetsxpr> ; 


Simplification  set  expressions  are  defined  by  the  syntax  below,  where  V  means  to  take 
the  union  of  the  given  expressions.  The  binding  powers  of  M,u  ,  "u"  and  "\M  are  that  binds 
least  strongly,  M\M  has  an  intermediate  binding  power,  and  “u“  Is  strongest. 


Syntaxi 


<simpsetexpr>  :-  {  <vllist>  }  |  <simpset>  | 

<simpsetexpr>  ,  <simpsetexpr>  | 
<simpsetexpr>  u  <$impsetexpr>  | 
<simpsetexpr>  \  <simpsetexpr> 


In  this  BNF  form,  a  simpset  is  an  identifier  that  has  been  declared  to  be  of  type  simpset. 
And  a  I /LUST  is  a  list  of  VLs  and  axioms,  separated  by  commas.  To  form  a  slmpsetexpr,  that  list 
must  be  enclosed  in  curly  brackets:  {}. 


DECISION  PROCEDURES.  FOL  has  several  decision  procedures.  One  of  these  is  TAUT.  If  a 
WFF  Is  a  tautology,  or  If  It  follows  tautologically  from  a  set  of  axioms  and  VLs,  a  new  I /L 
stating  this  WFF  can  be  obtained  by  the  TAUT  command.  The  new  I /L  depends  on  the  union  of 
the  dependencies  of  the  VLa  that  the  user  said  were  necessary  to  obtain  the  new  one.  That 
Is,  this  command  is  not  as  smart  as  REWRITE  in  eliminating  unnecessary  dependencies;  for 
instance,  if  the  WFF  is  a  ground  tautology  per  se  but  the  user  said  it  follows  tautologically 
from  a  certain  I /L  that  has  dependencies,  these  will  be  carried  over. 

Similar  to  TAUT  is  TAUTEQ,  that  includes  the  rules  of  equality.  Other  decision  procedures 
are:  MONADIC,  that  decides  validity  of  WFFs  whose  prenex  normal  form  [Mendelson  1964]  is 
such  that  all  universal  quantifiers  precede  all  existential  ones4 *.  UNIFY,  a  decision  procedure 
that  matches  quantified  WFFs  whose  matrices 6  are  Isomorphic 8  and  attempts  to  find  a  set  of 
solutions  to  the  quantified  variables.  UNIFY  was  developed  by  R.  Weyhrauch  and  A.  Chandra, 
and  Is  as  yet  undocumented7. 

Sometimes  REWRITE  acts  as  a  proof  procedure:  namely  when  the  WFF  rewrites  to  TRUE,  in 
which  case  the  WFF  is  stated  as  a  new  VL.  The  same  happens  with  SIMPLIFY,  a  command  for 
semantic  simplification  that  will  not  be  discussed  in  this  thesis. 


4  If  IMi  team*  confuting,  hi  *l»o  the  footnote  about  MONADIC  In  tho  faction  on  matcher*  In  tho  noxt  chapter 

6  The  WFF  that  remain*  after  removal  of  the  leading  quantifier*. 

•  in  the  ten**  that  they  have  the  tame  ttruoture  of  logical  connective*. 

7  UNIFY  I*  not  related  te  the  unification  algorithm  that  I*  wed  In  retolutloo  theorem  proving.  May  be  It  ought  to  be  renamed  to 

avoid  thl*  confutlorv 
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RESOLVE.  A  variation  of  UNIFY  is  RESOLVE.  If  a  VL  is  a  disjunction,  perhaps  preceded  by 
some  quantifiers,  and  the  negation  of  one  of  the  disjuncts  can  be  unified  against  another  VL, 
the  other  disjunct  can  be  stated  as  a  new  VL,  where  some  of  the  quantified  variables  are 
instantiated  according  to  the  solutions  obtained  from  the  unification  of  the  other.  At  present 
RESOLVE  has  some  bugs  and  some  unresolved  theoretical  problems,  nevertheless  it  has  been 
used  in  the  GOAL  because  it  is  a  powerful  command  for  the  purposes  of  automatic  proof 
generation. 


SORTS.  In  FOL,  variables  can  be  declared  to  be  of  some  sort.  Predicates  and  functions  can 
be  declared  to  take  arguments  of  some  sort.  Functions  can  be  declared  to  produce  terms  of 
some  sort.  Thus  some  terms  are  recognized  by  FOL  as  being  of  a  certain  sort.  Some  sorts 
can  be  declared  to  be  at  least  as  general  as  others  using  the  MOREGENERAL  declarative 
command.  For  instance,  in  several  versions  of  Set  Theory  there  are  sets  and  classes,  the 
later  being  more  general  than  the  former. 

Sorts  affect  many  of  the  previously  mentioned  commands.  In  particular,  they  affect  the 
quantifier  rules  and  the  simplification  commands.  They  also  affect  the  UNIFY  command,  but  the 
current  version  of  UNIFY  does  not  take  sorts  into  account. 

Sorts  introduce  many  complications,  some  of  which  have  not  yet  found  a  satisfactory 
solution.  They  shall  not  be  dealt  with  in  this  thesis. 


ADMINISTRATIVE  COMMANDS.  There  are  also  some  strictly  administrative  commands,  the 
most  Important  one  being  the  SHOW  command,  used  to  display  axioms,  VLs,  declarations,  and 
proofs.  In  GOAL  there  Is  an  analog  to  the  show  command.  Another  important  one  is  the  CANCEL 
command,  used  to  erase  a  proof  or  an  arbitrary  end  segment  of  It;  that  Is,  all  the  VLs  with  line 
numbers  greater  than  or  equal  to  the  number  passed  as  argument.  There  Is  also  a  GOAL 
analog  to  this  command. 


2.2.  The  style  of  proof  construction  in  FOL. 


FOL  has  no  facilities  other  than  GOAL  for  goal  oriented  proof  construction.  Formal  proofs  in 
FOL  are  much  longer  than  the  informal  proofs  of  mathematics;  this  is  true  even  for  the  more 
formal  domains  like  axiomatic  Set  Theory.  The  user  has  to  type  at  least  as  many  commands  as 
there  are  VLs  In  the  proof. 

When  constructing  a  proof,  it  is  often  difficult  to  keep  track  of  its  overall  structure 
because  one's  attention  tends  to  get  caught  in  the  detail.  This  is  because  the  commands  are 
so  atomic:  facts  that  appear  obvious  to  the  mathematician  often  require  a  dozen  or  more 
commands  and  a  considerable  amount  of  detail  work. 

This  problem  does  not  rest  with  FOL,  but  with  the  first  order  predicate  calculus.  Logicians 
seldom  use  this  calculus  to  prove  any  theorems;  rather,  they  study  it  In  order  to  make  sure 
that  their  theorems  can  be  proved  in  the  calculus.  When  they  expound  formal  theories  In 
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books,  the  majority  of  the  proofs  given  do  not  fill  in  ail  the  details.  These  proofs  aim  at 
convincing  that  one  knows  how  to  fill  in  the  missing  details.  Complete  formal  proofs  of  some 
simple  theorems  are  only  given  as  pedagogic  examples.  However,  no  formalisms  that  are 
convincingly  more  powerful  and  equally  general  as  this  calculus  are  known  at  present. 

One  way  of  aleviating  this  problem  is  to  add  to  FOL  facilities  for  automatic  generation  of 
proofs  of  "obvious"  facts.  Another  is  to  look  for  commands  that  produce  shorter  proofs.  Of  the 
later  kind,  the  simplification  commands  are  very  useful;  so  are  also  the  decision  procedures 
TAUT,  TAUTEQ,  MONADIC  and  UNIFY  and  the  related  RESOLVE  command.  Of  the  first  kind  are 
the  strategies  for  automatic  proof  generation  described  in  this  thesis. 

Yet  the  principal  way  in  which  GOAL  attempts  to  aleviate  the  problem  is  by  providing  a 
facility  for  goal  oriented ,  top  down  proof  construction.  In  any  case,  the  final  proof  looks  the 
same;  but  the  tree-like  goal  structure  can  be  used  as  a  recordkeeping  facility  that  remembers 
the  structure  of  the  proof  and  can  be  referenced  at  any  time  when  the  user  wishes  to  remind 
himself  of  what  remains  to  be  done. 
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3.  THE  STRUCTURE  OF  GOAL. 


3.1.  Overview. 


This  chapter  describes  GOAL.  First  it  describes  the  data  structure  upon  which  GOAL 
commands  operate,  called  the  goal  structure .  Then  it  describes  the  GOAL  commands. 

The  data  structure  is  a  list  of  goal  trees.  Each  goal  tree  is  a  recursive  data  structure  in 
which  all  nodes  have  the  same  structure.  The  root  of  the  tree  is  a  top  level  goal,  any  nodes 
below  are  subgoals.  The  term  goal  refers  to  either.  Top  level  goals  are  created  by  the  user 
using  the  GOAL  command.  Any  other  goals  are  created  by  the  tactics  described  below. 

There  are  several  types  of  GOAL  commands.  The  GOAL  command  that  creates  top  level 
goals.  The  ABANDON  command  that  prunes  a  branch  of  a  goal  tree.  There  Is  also  an 
administrative  showgoal  command.  But  the  most  important  GOAL  command  Is  TRY.  It  is  used  to 
invoke  the  operative  elements  that  operate  on  the  goal  structure.  There  are  three  types  of 
operative  elements:  tactics,  matchers,  and  strategies. 

The  tactics  create  new  subgoals  by  decomposing  a  goal.  The  matchers  attempt  to  prove  a 
bottom  level  goal,  or  leaf  of  a  goal  tree,  directly.  The  strategies  are  programmed  sequences  of 
applications  of  tactics  and  matchers. 

Goals  have  statuses ;  the  three  mutually  exclusive  statuses  are:  untried,  tried,  and  proved. 
At  any  time,  the  leaves  of  a  goal  tree  are  either  untried  or  proved,  and  the  other  nodes  are 
tried.  Trying  a  goal  means  invoking  an  operative  element  on  It.  Only  untried  goals  can  be 
tried.  However,  trying  a  goal  changes  its  status  only  if  the  operative  element  succeeds;  then 
it  becomes  either  proved  or  tried.  Tried  (but  not  proved)  goals  can  be  abandoned,  in  which 
case  they  become  again  untried. 

The  difference  between  the  three  types  of  operative  elements  can  be  defined  precisely 
with  regard  to  the  GOAL  code.  However,  from  the  point  of  view  of  the  functional 
characteristics  of  the  operative  elements,  this  classification  Is  not  as  clear  cut:  some  tactics 
may  succeed  in  proving  a  goal  directly,  in  which  case  they  act  like  a  matcher;  and  some 
strategies  may  do  little  more  than  a  tactic,  while  others  may  be  powerful  theorem  provers. 

Each  goal  has  a  number  of  parts,  some  of  which  may  be  empty.  These  parts  carry  data 
that  is  used  and  changed  in  various  ways  by  the  GOAL  commands  that  operate  on  and  change 
the  goal  structure.  Among  the  parts  of  a  goal  we  find  facts  and  slmpsets.  The  operation  of 
trying  a  goal  has  a  side  effect  called  preparation  of  the  goal,  that  often  introduces  changes 
to  these  parts.  The  special  command  prepare  can  be  invoked  by  the  user  to  provoke  this  side 
effect  without  actually  trying  the  goal;  this  may  add  new  facts  or  simpsets  to  the  goal  and 
new  lines  to  the  proof. 

Goals  can  be  referred  to  by  a  numbering  system.  In  most  GOAL  commands,  the  user  can 
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either  give  an  explicit  reference  to  a  goal  or  use  the  default  for  that  command.  There  are 
three  basic  defaults:  the  current,  the  next,  and  the  last  goal.  These  are  pointed  to  by  global 
variables  that  change  dynamically  as  the  man-machine  conversation  unfolds. 


3.2.  Goals. 


The  Goal  Structure  is  roughly  speaking  the  converse  of  the  proof  structure  in  FOL.  In  the 
proof  structure,  new  lines  of  the  proof  are  produced  by  invoking  FOL  inference  commands  or 
decision  procedures.  In  the  goal  structure,  the  user  specifies  at  the  top  level  the  WFF  to  be 
proved,  giving  also  some  Information  as  to  the  facts  that  need  be  used  and  how  they  will  be 
used.  Tactics  decompose  this  WFF  into  sets  of  subgoals.  The  subgoals  are  sufficient,  and 
with  a  few  exceptions  also  necessary,  conditions  for  the  original  goal  to  be  true. 

This  process  of  tearing  apart  goals  can  be  applied  recursively  so  that  a  tree  structure  is 
generated.  At  any  moment,  the  leaves  of  the  tree  represent  sufficient  conditions  for  the  root 
of  the  tree  to  be  true,  and  the  system  knows  how  to  produce  a  proof  of  the  original  goal  when 
all  the  leaves  have  been  proved. 

Top  level  goals  are  those  created  by  the  user  directly.  Invocation  of  tactics  create  sub¬ 
goals  of  a  goal,  which  we  call  its  sons.  Thus,  top  level  goals  are  those  that  do  not  have  a 
parent.  The  sons  of  a  goal  behave  In  every  respect  like  a  goal,  therefore  the  term  goal  will 
refer  indistinctly  to  goals  at  any  level  In  the  tree. 

At  any  time,  a  goal  has  one  of  the  following  statuses : 

UNTRIED:  it  has  no  sons  and  it  has  not  been  proved; 

TRIED:  It  has  sons  (these  have  been  necessarily  created  by  a  tactic)’, 

PROVED:  the  WFF  of  the  goal  has  become  a  line  of  the  proof 

(and  the  structure  remembers  the  number  of  that  line). 

When  the  last  son  of  a  tried  goal  Is  proved,  the  system  immediately  proves  that  goal;  that 
Is  to  say,  It  applies  some  deduction  rule  of  FOL  to  the  lines  that  correspond  to  the  proved 
sons,  thereby  generating  a  new  line  of  the  proof  that  matches  the  WFF  of  the  goal  whose 
status  then  becomes  proved .  We  call  this  process  unwinding ;  its  result  is  a  FOL  proof  that 
looks  the  same  as  one  generated  by  a  user  of  FOL. 

When  a  goal  Is  proved,  its  sons  ore  removed  and  cannot  be  accessed  any  more  (i.e.,  they 
will  be  eventually  disposed  of  by  the  LISP  garbage  collector). 
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3.3.  Treatment  of  assertions  (or  facts). 


This  section  offers  an  overview  of  the  treatment  of  facts  or  assertions  In  GOAL.  It  refers 
to  several  concepts  that  will  be  explained  in  detail  in  the  following  sections.  Facts  are 
treated  mainly  by  the  prepare  mechanism.  A  complete  description  of  this  subject  will  be  given 
in  the  section  on  goal  preparation. 

It  has  been  said  in  the  introduction,  that  'me  should  view  goals  as  sets  of  WFFs  to  be 
proved  and  sets  of  facts  or  assertions.  In  the  implementation  of  GOAL,  the  facts  are  attached 
to  the  goal  as  an  a-list.  The  facts  are  axioms  or  l /Ls.  The  user  can  also  specify  WFFs  to  be 
attached  to  this  list;  in  this  case,  the  preparation  mechanism  (that  will  be  explained  later) 
assumes  these  WFFs  using  the  FOL  command  assume ;  thus  they  become  VLs. 

The  facts  of  a  goal  are  passed  down  to  its  sons.  Often  new  facts  are  added  to  sons. 
Thus,  with  a  few  exceptions,  the  facts  of  a  goal  are  a  subset  of  the  facts  of  Its  sons. 

The  user  can  specify  facts  in  two  ways:  using  assume  or  sassume.  The  second  option 
causes  the  fact  to  be  included  into  the  list  of  simplification  rules  (simpsets)  attached  to  the 
goal. 

Besides  those  facts  given  by  the  user,  we  find  facts  created  by  the  mechanisms  of  GOAL. 
Some  tactics  create  new  facts:  for  instance,  when  an  Impllcational  WFF  of  the  form  A^B  is 
tried  by  the  "si"  tactic,  a  goal  B  Is  obtained  and  A  Is  assumed  (or  sassumed,  depending  on  the 
structure  of  A).  Also,  when  a  goal  is  proved  but  some  of  its  brothers  are  still  unproved,  that 
goal  is  added  to  the  facts  of  those  unproved  brothers  and  of  their  descendants  as  well.  There 
are  still  other  ways  In  which  new  facts  are  generated;  these  will  be  discussed  when  we 
explain  the  prepare  mechanism. 

GOAL  does  not  offer  the  user  as  much  control  over  the  facts  as  it  does  with  respect  to  the 
treatment  of  the  WFF  of  the  goal.  This  can  be  seen  as  a  drawback  because  it  limits  the  kinds 
of  strategies  that  can  be  easily  programmed. 

It  should  be  mentioned  that  there  are  two  parts  of  a  goal  that  hold  facts:  they  are  called 
FACTS  and  ADDEDFACTS.  Facts  added  to  a  goal,  either  upon  Its  creation  or  later,  usually  go  to 
ADDEDFACTS,  except  for  those  created  by  the  prepare  mechanism  itself.  This  mechanism 
empties  ADDEDFACTS  and  passes  its  contents  over  to  FACTS.  There  are  several  reasons  of 
implementation  why  we  chose  to  do  things  that  way;  one  of  the  effects  obtained  is  that  WFFs 
given  by  the  user  using  ASSUME  and  SASSUME  are  not  added  to  the  proof  or  put  into  the 
simpsets  until  the  goal  Is  actually  tried;  the  same  delayed  effect  applies  for  other 
transformations  the  prepare  mechanism  does  to  the  facts. 
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3.4.  The  parts  of  a  goal. 


The  following  parts  are  Imbedded  in  the  structure  of  unproved  goals.  When  the  goal  is 
untried,  many  of  these  parts  are  NiL.  Proved  goals  have  a  different  structure:  they  just  have 
a  goal  number,  a  VL  (as  opposed  to  a  WFF),  and  sometimes  a  reason 1  that  indicates  how  they 
were  obtained. 


GOAL  NUMBERS.  They  number  brother  goals  starting  with  1.  Brother  goals  are  those  that 
have  a  common  parent;  also  the  top  level  goals  are  considered  to  be  brothers.  Thus  goals  can 
be  referred  by  means  of  a  list  of  natural  numbers,  each  one  proceeded  by  the  token  For 
instance:  #3#1#1#2  means  the  second  son  of  the  first  son  of  the  first  son  of  the  third 
element  of  the  list  of  top  level  goals 


GOALWFF.  The  WFF  of  the  goal. 


DESCENDANTS.  The  list  of  sons;  these  are  goals. 


REASON.  Indicates  how  its  sons  were  obtained;  it  contains  all  the  necessary  Information 
so  the  unwinding  mechanism  can  prove  the  WFF  of  the  goal  by  referring  to  the  VLs  that  prove 
its  sons. 


FACTS.  A  collection  of  pointers  to  l/is  that  are  stored  with  the  goal;  these  I /Ls  are  used 
by  the  matchers  in  various  ways  when  trying  to  prove  the  goal;  they  are  also  used  sometimes 
by  "CASES".  They  are  stored  In  a  list  of  association  lists,  because  they  may  be  used  in  a 
number  of  different  ways.  Some  of  them  may  be  assumptions  indicated  by  the  user,  or  created 
by  the  GOAL  system,  or  proved  sub-goals  that  are  brothers  of  the  goal  or  of  some  of  ancestor 
of  it. 


SIMPSETLIST.  A  list  of  simpsets  associated  with  a  goal.  It  would  be  more  logical  to 
condense  all  these  simpsets  into  just  one.  That  simpset  would  have  to  be  expanded  and 
shrunk  dynamically  when  the  goal  tree  is  created  and  traversed,  and  this  poses  problems  of 
implementation  that  make  it  more  convenient  to  store  lists  of  simpsets  instead. 


SIMPSETREASONUST.  A  list  of  the  VLs  and  names  of  simpsets  in  the  SIMPSETUSr,  so  that 
the  system  can  produce  reasons  for  the  steps  of  the  proof  it  generates,  In  the  same  way  FOL 
does.  (Reasons  for  proof  steps  indicate  how  the  VLs  are  obtained  In  FOL). 


SIMPSETADDFLAG.  A  flag  indicating  whether  additions  have  occurred  to  the  SIMPSETLIST-, 


*  Thle  la  not  to  oe  confused  with  the  reason  of  a  VI  nor  with  the  MASON  of  a  tried  goal. 
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this  flag  is  used  by  some  automatic  theorem  proving  strategies  in  order  to  know  whether  it 
makes  sense  to  attempt  rewriting  anew. 


ADDEDFACTS.  Any  information  contained  here  is  eventually  passed  over  to  FACTS ;  here 
there  may  be  l/Ls  or  WFFs,  indicated  by  the  user  or  produced  by  the  system;  it  was  thought 
convenient  to  have  a  separate  list  of  this  kind,  because  it  permits  to  treat  FACTS  more 
uniformly  and  also  because  it  indicates  whether  any  new  facts  have  been  added  to  the  goal 
since  the  last  time  it  was  tried  (this  information  is  used  by  some  automatic  theorem  proving 
strategies). 


QUANTELIMLIST.  A  list  of  the  quantifier  eliminations  made  down  the  goal  tree;  this  has 
many  uses;  it  keeps  track  of  bindings  made  in  brother  branches  of  the  tree,  to  assumed 
existential  eliminations  in  the  proof,  so  as  to  know  whether  a  match  may  be  such  that  the 
proof  would  not  unwind.  It  is  also  used  by  UNIFY  so  as  to  reconstruct  some  matches  that  could 
not  otherwise  be  unified.  In  these  ways  GOAL  makes  a  limited  amount  of  skolemlzatlon. 


3.6.  Skolemization  and  the  Quantelimlist. 


To  Skolemize  an  existentially  quantified  variable  in  a  goal  is  to  eliminate  the  quantifier  and 
to  replace  the  quantified  variable  by  a  variable  name  that  matches  any  term  of  the  same  sort. 
An  analogous  operation  can  be  done  on  an  universally  quantified  variable  In  an  assertion  of  the 
goal  [Brown  1977a,  1978]. 

For  example:  If  a  goal  Is  Y  x3  y.V  z.P(x,y,z),  and  we  do  an  universal,  an  existential,  and  an 
universal  subgoaling  operation,  we  obtain  as  a  goal:  P(x,y,z).  But  x,  y,  and  z  ought  to  have  a 
different  status  in  that  subgoal:  x  and  z  have  to  be  free  variables,  while  y  could  be  matched 
against  (almost)  any  term.  More  precisely,  y  can  be  matched  against  any  term  that  does  not 
depend  on  z;  for  instance,  against  a  term  t(x)  which  contains  some  free  occurrences  of  x. 
Skolemlzlng  In  this  case  means  subgoaling  to:  P(x,f(x),z),  where  f(x)  is  a  Skolem  function  of 
the  variable  x.  The  use  of  Skolem  functions  in  theorem  proving  Is  discussed  In  a  number  of 
textbooks,  for  instance  in  [Nilsson  1971]. 

In  GOAL,  Skolemization  is  performed  by  recording  quantifier  eliminations  In  the 
QUANTELIMLIST.  When  a  variable  that  has  been  Skolemized  in  this  way  Is  matched  at  some 
node  in  the  goal  tree,  then  the  same  variable  cannot  be  matched  again  to  a  different  term  at 
some  other  node,  l.e.  It  is  not  free  any  more.  The  QUANTELIMLIST  keeps  track  of  such  bindings 
and  records  the  node  where  the  binding  was  made.  The  abandon  command  sometimes  frees 
again  a  variable  that  has  been  bound  in  this  way:  namely,  it  does  so  when  the  node  at  which 
the  binding  was  performed  lies  below  the  goal  being  abandoned. 

For  example,  If  the  original  goal  were  'ix3y.'iz.(P(x,y,z)/\Q(x,y,z))t  after  several  subgoaling 
operations  we  may  have  the  two  subgoals  P(x,y,z)  and  Q(x,y,z).  In  this  case  GOAL  would 
remember,  for  either  one  of  this  two  subgoals,  the  series  of  universal  and  existential 
subgoaling  operations  that  were  performed  down  the  goal  tree.  It  would  be  able  to  match  the 
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variable  y,  in  either  subgoal,  against  an  arbitrary  term  provided  It  does  not  contain  any  free 
occurrences  of  z.  Now  suppose  that  one  of  the  subgoals  Is  matched.  Say  Q(x,y,z)  is  matched 
against  Q(x,t(x),z),  for  some  term  t(x).  After  that,  GOAL  will  refuse  to  match  y  In  P(x,y,z) 
against  anything  else  but  t(x).  We  say  y  has  become  bound  to  t(x). 

Now,  what  if  the  choice  of  t(x)  was  wrong  in  the  first  place,  so  that  the  user  wants  to 
take  it  back?  Both  subgoals  have  a  common  parent,  which  is  P(x,y,z)n.Q(x,y,z).  Upon  this 
parent  (or  some  ancestor  of  It)  being  abandoned 2,  GOAL  will  free  y  so  that  it  can  again  be 
matched  with  some  other  appropriate  term. 

Further  illustration  of  the  use  of  this  feature  of  GOAL  can  be  found  later  In  this  manuscript: 
In  the  PAIR  example  shown  in  the  section  on  automatic  theorem  proving,  and  in  the  description 
of  the  matcher  EQUNIFY. 


3.6.  Unwinding. 


When  a  sub-goal  (l.e.  any  goal  that  has  a  parent)  is  proved  either  by  a  matcher  or  by  the 
unwinding  mechanism,  its  parent  is  looked  at.  If  all  the  sons  of  that  parent  are  proved,  the 
proof  of  the  parent  is  produced;  otherwise,  the  Just  proved  sub-goal  is  added  to  the 
ADDEDFACTS  of  its  unproved  brothers  (the  unproved  sons  of  its  parent),  and  of  the 
descendants  of  these,  so  they  will  be  used  by  the  matchers  and  sometimes  added  to  the 
simpsets  (depending  on  the  structure  of  the  WFF  of  the  proved  goal). 

When  a  goal  Is  matched,  the  unwinding  mechanism  also  looks  at  the  QUANT  ELI  MU  ST  and 
checks  whether  a  Skolemlzed  variable  in  the  GOALWFF  has  been  matched  in  a  way  that 
makes  it  depend  on  some  existential  elimination  in  the  proof,  l.e.,  it  checks  whether  any 
variables  that  came  from  existential  eliminations  performed  in  the  goal  tree  appear  as 
assumed  names  for  existential  eliminations  in  any  of  the  VLs  on  which  the  newly  proved  goal 
depends.  If  this  is  the  case,  the  said  variables  are  bound  In  the  QUANTEUMLIST,  and  these 
bindings  carry  over  to  all  the  nodes  that  descend  from  the  node  where  that  existential 
elimination  was  performed.  For  a  proper  understanding  of  this,  the  reader  is  referred  to  the 
documentation  of  the  FOL  existential  elimination  rule  in  [Weyhrauch  1977]. 


3.7.  Defaults:  current,  next  and  last  goal. 


There  are  three  defaults.  They  are  kept  track  by  global  variables.  Initially  they  are  all  NIL. 
If  the  user  defaults  by  not  specifying  an  optional  argument  in  a  call  to  a  command  and  the 
default  variable  for  that  command  Is  NIL  at  that  time,  the  ensuing  error  message  indicates  that 
the  command  does  not  know  what  goal  to  try.  The  defaults  obey  to  the  following  rules. 


2  With  lh«  ABANDON  or  with  th*  AIT  AY  command, 
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NEXTGOAL.  It  is  an  untried  goal.  This  is  the  default  for  the  TRY  command.  Thus  it  can  be 
thought  of  as  the  next  goal  to  be  tried.  It  is  the  last  goal  created,  prepared,  or  abandoned, 
either  by  the  user  or  by  some  GOAL  command. 


LASTGOAL.  The  last  goal  decomposed  by  an  invocation  of  the  TRY  command.  That  is, 
successfully  tried  by  a  user  invoked  tactic,  or  tried  by  a  strategy  that  succeeds  in 
decomposing  it. 


CURRENTGOAL.  The  last  goal  tried  by  any  tactic  or  matcher. 

The  unwinding  mechanism  causes  the  following  Irregularities  In  the  rules  above:  it  resets 
CURRENTGOAL  to  the  father  of  the  last  goal  proved  by  either  a  matcher  or  the  unwinding 
mechanism,  and  NEXTGOAL  to  some  unproved  son  of  CURRENTGOAL,  that  is  to  a  brother  of  the 
last  proved  goal.  If  LASTGOAL  becomes  proved,  then  it  is  reset  to  the  same  as  CURRENTGOAL. 
When  a  top  level  goal  is  proved,  all  three  defaults  become  NIL. 


3.8.  The  GOAL  commands. 


3.8.1.  Goal  creation. 


GOAL.  This  command  is  used  to  create  a  top  level  goal.  The  user  must  specify  the  WFF 
and  can  also  indicate  assumptions,  sassumptions  and  slmpsets.  A  sassumptlon  Is  an  assumption 
that  gets  also  added  to  the  simpset.  The  assumptions  can  be  WFFs,  VLs,  or  axioms.  Those 
that  are  WFFs  are  written  onto  the  proof  by  the  ASSUME  command  of  FOL  when  the  goal  Is 
tried.  By  default,  the  special  simpsets  LOGICTREE,  and  COMPTREE  (automatic  Instantiation  of 
the  axiom  scheme  of  comprehension  for  sets),  are  included,  but  the  user  can  prevent  this  by 
saying  "NOTREES". 


Syntaxi 

GOAL  <WFF>  [OPT  ASSUME  REPT(ALT[  <WFF>  |  <VL>  ]>] 

[OPT  SASSUME  REPT(ALT[  <WFF>  |  <VL>  ])] 

[OPT  SIMPSET  <simpsetexpr>  ] 

[OPT  NOTREES]  i 

Along  with  the  syntax  of  GOAL  commands,  we  shall  show  examples  of  their  use.  In  this 
first  example  we  start  with  some  FOL  definitions  in  order  to  set  up  the  context  of  our 
examples. 
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Let  us  recall  that  the  five  asterisks:  '<♦♦♦♦•"  is  the  prompting  response  of  FOL.  Most  user's 
commands  end  with  one  semicolon,  except  the  AXIOM  command  that  end  with  a  double 
semicolon.  What  comes  after  the  semicolon,  up  to  the  next  "*****",  Is  the  response  of  GOAL  or 
FOL. 


Example: 


•♦♦••DECLARE  INOVAR  x  y  z  zl  uvw; 

•♦♦•♦DECLARE  PREOCONST  <  2  [INF] ; 

♦♦♦♦♦AXIOM  EXTENT:  Vx  y.(x-y*Vu.(u<x«uCy)Hi 
EXTENT:  Vx  y.(x-y»Vu.(u<x«u<y>) 

♦♦♦♦•AXIOM  PAIR:  Vx  y.3w.Vu.(u<w*(u“XVu»y));i 
PAIR:  Vx  y.3w.Vu.(u<w*(u-xvu-y)) 

•♦•♦•GOAL  Vx  y.3z.<Vw.(w(z*{w-xvw»y))AYzl.(Vw,(w(2l*(w-xvw«y)>zl-z)) 

ASSUME  PAIR  SASSUME  EXTENT; 

Goal  si:  Vx  y.3z.(Vw.(w<z«(w-xvw-y))AVzl.(Vw.{w<zl»(w-xvw»y))=>zl-z)) 

♦♦♦♦♦ 


3.8.2.  Referencing  goals. 


Many  commands  take  a  goal  as  argument.  Goals  are  referenced  by  a  numbering  system.  A 
goal  reference  is  a  list  of  natural  numbers,  each  preceded  by  the  token  #.  The  first  one  is 
the  number  of  a  top  level  goal;  the  next  is  the  number  of  one  of  Its  sons;  the  following,  the 
number  of  a  son  of  that  son;  and  so  forth.  An  error  message  ensues  when  a  nonexistent  goal 
is  referenced. 


Syntax: 


<goalref>  :•  REPT{«  <natnum>) 
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Examples: 


#3#1#1#2 

#1 


3.8.3.  Addition  of  Facts  to  a  Goat. 


ADDFACTS.  This  command  is  used  to  add  facts  to  an  already  existing,  untried  goal.  It 
uses  almost  the  same  syntax  as  the  GOAL  command,  except  that  a  goal  reference  must 
appear  Instead  of  the  WFF.  This  command  does  not  have  any  default;  the  goal  reference  must 
be  explicit. 


Syntax: 

ADDFACTS  <goalref>  [OPT  ASSUME  REPT(ALT[  <WFF>  |  <VL>  ])] 

[OPT  SASSUME  REPT(ALT[  <WFF>  |  <VL>  ])] 

[OPT  SIMPSET  <simpsetexpr>] 

[OPT  NOTREES]  ; 

The  following  two  commands  achieve  the  same  effect  as  the  previous  example  of  goal 
creation. 


Example: 

*****GOAL  Vx  y.3z.(Vw.(w<z»(w»xvw-y))AYzl.(Vw.(w(zl*(w-xvw-y))3zl«z)); 
Goal  el:  Vx  y.3z.(Vw.(wCz«(w*xvw-y))AVzl.(Vw.(w<zl»(w-xvw»y))ozl»z)) 
*****  ADDFACTS  *1  ASSUME  PAIR  SASSUME  EXTENT; 

***** 


3.8.4.  Trying  Goals. 


The  operative  elements  of  GOAL  are  the  tactics,  matchers,  and  strategies.  All  of  these 
are  called  by  the  TRY  command,  using  the  same  initial  syntax;  however,  many  of  these  require 
additional  information,  that  is  parsed  by  the  parser  associated  with  that  operative  element. 
This  additional  Information  is  given  at  the  end  of  the  TRY  command;  its  syntax  depends  on  the 
particular  operative  element  and  will  be  described  in  the  sections  on  tactics,  strategies,  and 
matchers. 
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TRY.  This  command  is  used  to  apply  a  tactic,  strategy,  or  matcher,  to  a  goal.  The  user  may 
specify  the  goal  in  two  different  ways:  by  a  goal  reference;  or  by  an  natural  number,  meaning 
the  number  of  a  son  of  CURRENTGOAL.  Otherwise  the  default  NEXTGOAL  is  tried  (if  this  is  NIL, 
an  error  message  is  given).  The  user  has  to  specify  the  tactic,  strategy,  or  matcher,  and  give 
any  additional  information  that  may  be  required  by  that  particular  operative  element.  Only  an 
untried  goal  may  be  tried  by  this  command.  In  the  syntax  below,  o p^name  is  the  name  of  a 
tactic,  matcher,  or  strategy;  and  o p_lnfo  is  the  additional  Information  required  by  that 
operative  element  (possibly  none);  these  two  Items  will  be  described,  for  each  element,  in  the 
section  on  the  operative  elements. 


Syntaxi 

TRY  [OPT  ALT[  <goalref>  |  natnum  ]  ]  USING  <op_name>  <op_info>  ; 

where 

"<op _ name>"  is  the  name  of  a  tactic,  matcher,  or  strategy,  and 

“<op _ lnfo>"  is  any  additional,  specific  information  required  by  that  element. 

Only  untried  goals  may  be  tried;  a  goal  whose  status  is  tried  can  be  abandoned  and  then 
tried  again.  The  following  command  combines  these  two  functions. 


RETRY.  Combines  ABANDON  and  TRY.  This  command  does  not  admit  a  default:  it  requires  an 
explicit  goal  reference.  If  the  goal  Is  untried,  it  will  be  accepted  and  tried. 


Syntax! 

RETRY  <goalref>  USING  <op_name>  <op_info>  ; 

For  an  illustration  of  the  use  of  this  command,  see  the  examples  in  the  section  o*>  me 
matcher  UNIFY. 


3.8.6.  QED. 


The  QED  command  is  to  be  used  only  when  the  GOALWFF  is  exactly  equal  (except  for  the 
names  of  bound  variables)  to  that  of  a  VL.  It  does  not  cause  any  new  line  to  be  added  to  the 
proof,  Instead  it  records  that  the  goal  is  proved  by  that  I VL  and  it  invokes  the  unwinding 
mechanism. 

The  two  arguments  are  optional.  The  defaults  are:  NEXTGOAL  for  the  goal  reference,  and 
the  last  VL  In  the  proof,  for  the  VL. 
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Syntaxs 


QED  [OPT  <goalref>  3  [OPT  <VL>  3; 


3.8.6.  Abandoning  Goals. 


ABANDON.  Applied  to  a  tried  goal,  it  makes  it  untried  by  garbage  collecting  its  sons.  The 
user  may  specify  the  goal  number,  or  by  default  the  last  goal  that  was  tried  is  abandoned. 


Syntax! 

ABANDON  [OPT  <goalraf>  3  i 

For  an  illustration  of  the  use  of  this  command,  see  the  examples  in  the  section  on  the 
matcher  UNIFY. 


3.8.7.  User  invoked  preparation. 


PREPARE.  This  command  invokes  the  preparation  mechanism  without  actually  trying  a  goal; 
Its  main  use  is  for  causing  the  assumed  WFFs  of  a  goat  to  be  written  onto  the  proof.  It  has  a 
"PLUS"  switch  that  can  be  used  to  add  facts  to  the  goal.  It  uses  the  same  initial  syntax  as 
TRY  for  referring  the  goal,  and  it  has  the  same  default,  NEXTGOAL.  it  does  not  reset  any  of  the 
defaults. 


Syntax: 


PREPARE  [OPT  ALT[  <goalref>  |  <natnum>  ]  ]  ; 


3.8.8.  Displaying  goals. 


8HOWGOAL.  It  displays  the  goals  together  with  their  attached  properties.  It  Is  a  very 
verbose  command,  but  it  has  a  TERSE  option.  If  no  arguments  are  given,  all  top  level  goals  and 
all  of  their  descendants  are  displayed.  Optional  arguments  are:  1 )  a  goal  reference,  or  one  of 


■m 
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the  words:  nextgoal,  lastgoal ,  or  currentgoal\  in  this  case  only  that  goal  and  its  descendants 
are  displayed;  2)  "DEPTH  <natural  number)",  in  which  case  descendants  only  down  to  a 
certain  level  are  displayed  (the  number  can  be  0);  3)  "TERSE"  for  the  terse  option.  The  terse 
option  is  recommended  for  seeing  the  goal  tree  in  perspective.  The  verbose  option  is  useful 
for  examining  the  parts  of  a  goal;  in  this  case  it  is  recommended  to  use  a  small  depth,  1  or  0, 
In  order  to  limit  the  size  of  the  typed  response. 


Syntax; 

SHOWGOAL  [OPT  ALT[  <goalref>  |  NEXTGOAL  |  LASTGOAL  |  CURRENTGOAL  ]  ] 
[OPT  DEPTH  <integer>  ] 

[OPT  TERSE]  ; 


Examples; 


*****$HOWGOAL; 

Goal  el:  Vx  y.3z.(Vw.(wCz*(w-xvw-y))AVzl.(Vw.(w<zl*(w-xvw»y)):>zl-z)) 
VLSASSU:  EXTENT  Vx  y.(x-y«Vu.(u<x*u<y» 

VLASSU:  PAIR  Vx  y.3w.Vu.(u<w*(u-xvu-y)) 

Simpsets:  (  BY  LOGICTREE  COMPTREE) 

**«*SHOWGOAL  TERSE; 

Goal  el;  Vx  y.3z.(Vw.(w<z»( w-xvw-y ))aVz  1  .(Vw.(w<Z  1  *(w-x vw-y ))az  1  -Z» 

***** 


3.0.  The  operative  elements  of  GOAL. 


The  building  blocks  of  GOAL  are  its  operative  elements :  the  tactics,  the  strategies,  and  the 
matchers.  GOAL  has  been  designed  to  allow  for  easy  addition  of  new  operative  elements;  In 
the  section  on  expanding  GOAL,  we  shall  look  at  the  structure  of  the  operative  elements  in 
more  detail.  For  this  section,  it  is  enough  to  know  that  each  operative  element  has  a  name 
and  a  parsing  routine  associated  with  it. 

All  the  operative  elements  are  called  by  the  TRY  command.  As  we  described  that  command, 
we  introduced  two  syntactic  items:  op_name  and  o p_lnfo.  In  this  section,  we  shall  look  at  the 
operative  elements  that  are  now  present  in  GOAL.  For  each  one,  its  function  will  be  described, 
and  the  two  syntactic  items  above  will  be  defined. 
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3.0.1.  Tactics. 


The  tactics  attempt  to  decompose  the  goal  into  (expectedly  simpler)  subgoals.  Most 
tactics  transform  the  GOALWFF,  the  main  exception  being  the  tactic  CASES.  Any  successful 
application  of  a  tactic  produces  one  or  more  sons  of  the  goal.  Tactics  do  not  try  to  decompose 
those  sons  any  further.  The  status  of  the  goal  becomes  tried ;  the  status  of  the  newly 
created  sons  is  untried. 

Most  tactics  create  subgoals  that  are  necessary  and  sufficient  conditions  for  the  goal  to 
be  true;  but  some  create  subgoals  that  are  only  sufficient ;  when  the  later  is  the  case,  we 
shall  state  it  explicitly  as  we  describe  the  tactic. 

At  present  we  have  the  following  tactics. 


3.9.1. 1.  Universal  rule:  VI. 


The  main  symbol  of  the  GOALWFF  must  be  “V".  The  matrix  of  the  WFF  is  produced  as  a 
subgoal,  i.e.,  the  leading  universals  are  eliminated.  By  default,  the  quantified  variables  are 
instantiated  to  the  same  variable  names,  but  a  different  instantiation  can  be  specified  by  the 
user.  The  optional  op_info  is  a  list  of  variable  names  without  repetitions;  the  parser  also 
checks  whether  these  variables  are  free  In  some  axiom  afro  whether  they  are  of  sort  at  least 
as  general  as  the  quantified  variable,  and  gives  error  messages  if  It  finds  conditions  that 
would  make  it  impossible  to  unwind  the  proof.  The  standard  name  V/  refers  to  the  FOL  rule  by 
which  the  proof  of  the  goal  will  be  produced  in  the  unwinding  process. 

<op_pame>  VI  |  UG  |  ug 
<op_info>  :■  0PT[  REPT[  <variable  name>  ]] 

The  following  examples  start  with  the  goal  created  in  the  previous  example  of  the  GOAL 
command.  They  form  a  sequence  of  commands,  except  where  noted  otherwise.  Thus  the 
default  nextgoal,  which  is  the  last  goal  created,  applies  to  most  of  them. 


Example: 


*****TRY  USING  VI; 

Goal  elel:  3z.{Vw.(w<z»(w-xvw-y))AVzl.(Vw.(w(zl*{w«xvw-y))=>zl-z)) 


r.  .'".i  1  ■ 
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3.9.1. 2.  Existential  rule:  31. 


The  main  symbol  of  the  GOALWFF  must  be  "3".  The  matrix  of  the  WFF  Is  produced  as  a 
subgoal,  l.e.,  the  leading  existentials  are  eliminated.  By  default,  the  quantified  variables  are 
instantiated  to  the  same  variable  names,  but  a  different  instantiation  can  be  specified  by  the 
user.  The  optional  op_info  is  a  list  of  terms.  If  these  terms  already  appear  in  the  WFF,  a  list 
of  occurrences  is  kept  so  the  proof  will  unwind  properly. 

<op_name>  31  1  EG  |  eg 
<op_info>  OPT[  REPT[  <term>  ]] 


Example: 


*****TRY  USING  31} 

Goal  alelel:  Vw.(w<z»(w-xvw«y))AVzl.(Vw.(w<zl«(w-xvw-y)):»zl"z) 
***** 


3.9. 1.3.  Conjunction  rule:  Ai. 


The  main  symbol  of  the  GOALWFF  must  be  “a".  The  two  conjuncts  are  produced  as 
subgoats.  Op  info  is  nil. 


<op_name>  Al  |  AI  |  ai 


Example: 


*****TRY  USING  Al; 


Goal  alelelel:  Vw.(w<z*{w«xvw«y)) 

Goal  Vzl.(Vw.(w<zl*(w-xvw«y))3zl-z) 


3C 


***** 
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3. 9.1. 4.  Equivalence  rule:  *1. 

The  main  symbol  of  the  GOALWFF  must  be  "a".  Two  subgoals  are  produced:  if  the 
GOALWFF  Is  "  A  •  8  ",  the  subgoals  are  "  A  s  B  "  and  11  B  =  A  ".  Op__info  is  nil. 

<op_name>  :-  »l  |  EQUIV  |  equiv 

Example: 

*****TRY  1  USING  VI; 

Goal  slslslslsl:  w<z*(w»xvw«y) 

*****TRY  USING  ■(; 

Goal  slslslslslsl:  w<z3(w«xvw«y) 

Goal  (w-xvw-y)ow(z 

***** 

3.9. 1.6.  Deduction  rule:  si. 

The  main  symbol  of  the  GOALWFF  must  be  "o".  One  subgoal  Is  produced:  If  the  GOALWFF 
is  "A  o  B",  the  wff  of  the  subgoal  is  "  B  ",  and  11  A  "  is  added  to  It  as  an  assumption  or 
sassumptlon.  Whether  it  will  be  a  sassumptlon  or  not,  i.e.  whether  it  will  be  added  to  the 
simpset,  depends  on  a  test  performed  by  the  preparation  mechanism;  ft  will  if  it  is  an 
equivalence  or  equality,  possibly  preceded  by  some  universal  quantifications.  Op _ Info  is  nil. 

<op_name>  :-  ol  |  DED  |  ded 

Example: 

*****TRY  USING  =»l; 

Goal  w(z 

***** 
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In  the  last  example,  the  antecedent  w-xvw-y  has  been  attached  to  the  goal  as  a  WFF  to 
be  assumed.  When  the  goal  Is  tried,  or  prepared,  that  WFF  will  be  written  unto  the  FOL  proof. 
The  next  example  will  show  this. 


3.8.1. 6.  Rule  of  CASES. 


The  basic  idea  behind  this  tactic  can  be  expressed  in  the  following  tautology: 


((AvB)sC)  *  (A5C)a(B3C), 

But  the  tactic  can  be  used  in  several  ways,  depending  on  the  arguments  given  by  the  user 
In  the  optional  op_lnfo. 

If  the  argument  is  an  axiom  or  I /L,  this  must  be  a  disjunction,  possibly  preceded  by  some 
existential  quantifications;  then,  If  the  GOALWFF  Is,  say,  "  C  ",  and  the  axiom  or  I fL  Is,  say,  ”  A 
v  B  ",  the  following  two  subgoals  are  produced:  "  A  o  C  "  and  "  B  o  C  If  that  axiom  or  I /L  is 
already  among  the  facts  of  the  goal  being  tried,  it  is  removed  from  the  facts  of  the  sons. 

If  no  argument  Is  given,  the  tactic  searches  for  a  disjunction,  possibly  preceded  by 
existential  quantifications,  among  the  facts  of  the  goal,  and  proceeds  as  above. 

The  argument  can  also  be  a  WFF,  say,  "A";  this  produces  cases  on  the  tautology  "A  v  -A". 
<op_name>  CASES  |  cases 
<op_info>  :-  OPT(  VL  |  WFF  ] 


Example: 


*****TRY  USING  CASES; 

1  w-xvw-y  (1) 

Goal  #1*1»1*1«1*2#1*1:  w-xswtz 
Goal  w-yowtz 
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3.9. 1.7.  Syntactic  simplification:  REWRITE. 


The  GOALWFF  is  re-written  using  the  syntactic  simplifier.  The  user  may  specify  a  simpset- 
expresslon ;  In  addition  to  It,  all  the  simpsets  attached  to  the  SIMPSETUST  of  the  goal  are 
used. 

If  the  GOALWFF  rewrites  to  TRUE,  this  tactic  acts  like  a  matcher;  if  it  rewrites  to  a  WFF 
other  than  the  original  one,  one  subgoal  is  produced,  and  the  SIMPSETREASONLIST  attached  to 
the  goal,  plus  the  user  specified  simpset-expression,  are  stored  in  the  REASON  of  the  goal. 

When  this  tactic  Is  called  from  some  strategy,  one  can  use  a  special  flag  to  inhibit 
simplification  against  WFFs  In  the  FACTS  of  the  goal  that  have  the  same  structure3  as  the 
expression  or  sub-expression  being  matched,  because  such  sub-expressions  are  potentially 
unlflable  against  those  facts  at  a  lower  level  in  the  goal  tree.  This  option  will  be  explained  in 
greater  detail  in  the  section  on  the  LOGIC  strategy. 

<op_name>  :■  REWRITE  |  rewrite 

<opJnfo>  :■  OPT[  ALT[  BY  |  by  ]  <simpsetexpr>  ] 

The  syntax  of  <simpsetexpr>  has  t  aen  given  in  the  previous  chapter  on  FOL. 


Example: 


*****TRY  USING  REWRITE  BY  {EXTENT}; 

Goal  »1*1#1#1*1*2#1«2»1:  Vu.(u<w*u<y)=w(z 

***** 


Since  the  axiom  EXTENT  was  attached  to  the  goal  by  the  SASSUME  option  when  the  goal 
was  created,  the  shorter  version  "TRY  USING  REWRITE"  would  have  the  same  effect  in  the 
last  example. 


3. 9. 1.8.  Semantic  simplification:  SIMPLIFY. 


The  GOALWFF  is  simplified  by  the  semantic  simplifier  using  any  semantic  attachments  that 
are  current.  (The  FOL  mechanism  of  semantic  attache  jnt  will  be  described  in  a  forthcoming 
publication  by  Weyhrauch.) 


3  In  the  tense  of  the  UNIFY  command.  See  UNIFY. 
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If  the  GOALWFF  simplifies  to  TRUE,  this  tactic  acts  like  a  matcher;  If  it  simplifies  to  a  WFF 
other  than  the  original  one,  one  subgoal  is  produced. 

An  example  of  the  use  of  this  tactic  Is  the  following:  if  the  GOALWFF  contains  some  sub¬ 
expression  SET(x),  where  x  is  a  variable  of  sort  SET,  or  of  some  less  general  sort,  that  sub¬ 
expression  will  simplify  to  TRUE  and  the  original  WFF  will  simplify  too. 

At  present,  <op  lnfo>  is  nil. 


<op_name>  SIMPLIFY  J  simplify 


3. 9. 1.9.  Special  tactics. 


We  have  at  present  three  other  tactics.  The  first  two,  IMPLICATION  and  vl  (or- 
introduction),  constitute  an  exception  to  the  rule  that  the  subgoals  are  not  only  sufficient,  but 
also  necessary  conditions  for  the  goat.  The  third  one,  INDUCTION,  is  special  purpose:  it  was 
designed  for  the  work  on  Ramsey's  theorem  and  it  assumes  and  that  the  name  of  the  empty 
set  Is  the  Individual  constant  X. 


3. 9. 1.9.1.  Disjunction  rule:  vl. 

This  tactic  Is  used  to  subgoal  to  one  of  the  disjuncts  of  a  GOALWFF  whose  main  quantifier 
Is  "v".  It  produces  only  one  subgoal  to  the  goal.  The  user  has  to  specify  "1"  or  "2",  meaning 
the  first  or  second  conjunct  is  to  become  the  GOALWFF  of  the  subgoai. 

<op_name>  :■  vl  |  ORI  |  ori 
<op_info>  1  |  2 

Example: 


*****TRY  USING  =>l; 

Goal  w-xvw-y 

*****TRY  USING  vl  1; 

2  w<z  (2) 

Goal  w«x 


***** 
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3. 9. 1.9.2.  Implication  rule. 


Often  times  there  is  an  Implications!  WFF ,  or  perhaps  a  universally  quantified  implication 
among  the  facts  of  the  goal,  such  that  it  Is  possible  to  prove  its  antecedent  and  that  the 
consequent  would  make  it  easy  to  prove  the  goal.  Or  there  may  be  a  VL  in  the  proof  that  has 
those  properties. 

The  op _ info  for  this  tactic  is  optional.  The  user  may  specify  a  VL  whose  WFF  is  a 

(possibly  universally  quantified)  implication.  If  it  is  universally  quantified,  a  list  of 
Instantiations  for  the  universally  quantified  variables  may  be  given. 

If  no  op_info  is  given,  the  tactic  attempts  to  find  a  VL  with  the  required  characteristics 
among  the  tacts  of  the  goal.  If  it  finds,  it  will  still  try  to  find  some  instantiation  for  the  leading 
universal  quantifiers  that  would  cause  the  GOALWFF  to  match  against  the  consequent;  the 
tactic  will  fail  if  this  does  not  succeed.  The  reason  for  making  this  tactic  so  "careful"  is 
because  of  its  intended  use  in  automatic  theorem  proving  strategies:  in  those,  we  are 
concerned  with  avoiding  an  explosion  of  the  search  space. 

If  the  tactic  succeeds,  the  antecedent  of  the  implication  becomes  the  GOALWFF  of  the 
subgoal.  When  the  goal  has  been  proved,  the  unwinding  mechanism  will  first  prove  the 
consequent  by  calling  the  FOL  command  RESOLVE  on  the  following  two  VLs:  the  just  proved 
antecedent  and  the  fact  from  which  this  antecedent  was  extracted.  After  this,  the  unwinder  will 
attempt  to  match  the  goal  against  the  VL  that  proves  the  consequent. 

<op_name>  IMPLICATION  |  implication 
<op_info>  OPT[  <Vl>  0PT[REP[  <variable  name>]]] 

3. 9. 1.9. 3.  Induction  rule. 


This  tactic  was  designed  for  our  work  on  Ramsey's  theorem.  It  Is  assumed  that  the  empty 
set  is  the  individual  constant  Xa.  It  checks  that  the  GOALWFF  is  universally  quantified  and 
that  the  variable  bound  by  the  first  quantifier  is  of  sort  NATNUM. 

It  creates  two  subgoals:  if  the  GOALWFF  is  Vi.PRED(l),  then  the  subgoals  are  PRED(X)  and 
Vi.(PRED(i)3PRED(SUC(i))),  whore  SUC  is  assumed  to  be  the  name  of  the  successor  function. 


<op_name>  :■ 


INDUCTION  |  induction 


4  The  reason*  for  this  choice  are  only  historical.  The  user  wishing  to  use  0  Instead  can  change  this  tactic  by  redefining  It* 
components,  as  will  be  explained  In  the  next  section. 
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3.9.2.  Matchers. 


The  matchers  attempt  to  prove  the  GOALWFF  directly,  that  Is  without  decomposing  the 
goal,  by  using  some  decision  procedures  of  FOL  and  the  facts  of  the  goal.  We  have  four 
matchers  at  present,  the  main  one  being  UNIFY.  Their  functions  correspond  to  the  FOL 
commands  by  the  same  names.  We  have  an  additional  special  purpose  matcher  that  does  not 
exist  as  a  FOL  command,  EOUNIFY,  in  order  to  deal  with  a  special  case  that  UNIFY  cannot 
handle. 

UNIFY  and  EQUNIFY  inspect  the  OUANTELIMLIST  of  the  goal  and  use  it  to  reconstruct  some 
possible  quantifier  Introductions,  from  those  eliminations  recorded  in  that  list.  SKolemlzatlon  Is 
achieved  to  a  limited  extent  in  this  way. 


3.9.2. 1.  UNIFY. 


This  is  the  main  matcher.  It  uses  the  undocumented  FOL  procedure  UNIFY  written  by 
Weyhrauch  and  Chandra.  This  procedure  attempts  to  match  a  WFF  against  an  already 
proved  one,  if  both  WFF s  have  the  same  structure  of  logical  connectives  after  removal  of  the 
leading  quantifiers.  The  FOL  command  is  further  documented  in  [Weyhrauch  1977],  and  the 
algorithm  will  be  documented  in  a  forthcoming  paper  by  Weyhrauch. 

If  the  user  specifies  a  I /L,  the  matcher  attempts  unification  only  against  this  one; 
otherwise  it  does  so  against  each  one  of  the  VLs  in  the  facts  of  the  goal. 

<op_name>  :«  UNIFY  |  unify 

<Op_info>  OPT[  <VL>  ] 

The  matcher  does  more  than  the  FOL  command:  for  each  one  of  the  VLs  against  which  it 
attempts  unification,  It  loops  trying  to  reconstruct  the  existential  quantifier  eliminations  that 
were  made  previously  in  the  goal  tree. 

For  Instance,  assume  that  we  are  unifying  against  a  VL  that  says  Vx.3y.P(x,y).  The  FOL 
command  will  unify  3y.P(z,y)  but  not  P(x,y)  against  it,  and  this  Is  Indeed  correct.  However,  if 
we  have  a  subgoal  P(2,w)  and  w  is  recorded  in  the  OUANTELIMLIST  as  coming  from  some 
application  of  the  tactic  31  and  being  still  free,  then  this  matcher  will  produce  unification 
against  the  VL  above. 


Example; 


*****A8AND0N  #1«1«1*1; 

Goal  elelelel:  Vw.(w<z«(w-xvw»y))  abandoned. 
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*****TRY  USING  UNIFY  PAIR; 

3  3z.Vw.(w<z*(w-xvw«y)) 

4  Vw.<w<z*(w-xvw-y))  (4) 


***** 


In  the  last  example,  It  is  unnecessary  to  specify  "PAIR"  In  the  call  to  UNIFY,  because  this 
axiom  is  already  in  the  list  of  assumed  facts  of  the  goal.  Also  using  RETRY  would  make  It 
unnecessary  to  abandon  the  goal.  The  following  equivalent  example  shows  a  shorter  way  of 
obtaining  the  same  effect. 


Example: 


*****RETRY  *1*1  *1*1  USING  UNIFY; 

Goal  *1*1  *1*1:  Vw.(w(z*(w»xvw«y))  abandoned. 

3  3z.Vw.(w(z*(w-xvw-y)) 

4  Vw.(w<z*(w-xvw-y))  (4) 

***** 


3. 0.2.1 .1 .  EQUNIFY. 


This  Is  a  special  purpose  matcher  designed  to  deal  with  the  following  special  case  that 
UNIFY  does  not  handle.  Suppose  the  goal  is  "x=y"  and  y  is  free  In  the  QU ANTE LIM LIST’,  that  is, 
this  subgoal  was  part  of  a  goal  "3y.(xByAP(x,y))".  Then  the  matcher  UNIFY  will  fail  on  this 
equality;  the  user  can  match  it  by  calling  EQUNIFY. 


<op_name>  EQUNIFY  |  equnify 

Now  we  shall  start  up  a  new  example  in  order  to  show  the  use  of  this  matcher.  The 
following  dialog  shows  also  the  effects  of  two  matching  attempts  that  failed  because  of 
user's  error.  See  also  the  explanation  after  the  example. 


The  structure  of  GOAL, 


Example: 

*****DECLARE  PREOCONST  P  2; 

*****DECLARE  INOCONST  X; 

*****  AXIOM  REEL:  Vx.P(x,x)u 

REFL:  Vx.P(x,x) 

*****GOAL  3x.(x*XaP(x,X)); 

Goal  *2:  3x.(x-XaP(x,X)) 

*****TRY  USING  31; 

Goal  *2*1:  x-XaP(x,X) 

*****TRY  USING  Al; 

Goal  *2*1*1:  x-X 
Goal  *2*1*2:  P(x,X) 

*****TRY  USING  EQUNIFY; 

The  wff  of  this  goal  is  not  an  equality. 

*****TRY  1  USING  EQUNIFY; 

3  3x.x-X 

4  x-X  (A) 

*****TRY  USING  UNIFY  REFL; 

No  unification. 

The  tactic  UNIFY  can’t  be  applied  to  goal 
Goal  *2*1*2:  P(x,X) 

*****TRY  USING  REWRITE; 

Goal  *2*1  *2*1:  P(X,X) 

*****TRY  USING  UNIFY  REFL; 

5  P(X,X) 

6  P(x,X)*P(X,X)  (4) 

7  P(x,X)  (A) 
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8  x-XaP{x,\)  (4) 

9  3x.(x-XaP(x,X)) 


In  the  first  call  to  EQUNIFY,  the  default  nextgoal  was  goal  #2#1#2,  whereas  the  user 
wanted  to  apply  the  matcher  to  goal  #2#1#1;  the  next  time  he  does  this  correctly.  EQUNIFY 
recognizes  the  fact  that  the  variable  x  in  the  goal  x-\  can  be  matched  against  any  term,  so  it 
matches  it  with  x  itself. 

As  the  next  call  to  UNIFY  fails,  the  user  recognizes  that  he  must  first  rewrite  the  goal.  He 
could  have  said:  "TRY  USING  REWRITE  4;",  that  is  stating  explicitly  that  the  fact  that  x«\ 
must  be  used  to  rewrite  the  goal.  But  this  was  unnecessary  because  the  goal  structure  will 
automatically  use  a  fact  proved  In  one  branch  of  the  goal  tree  in  order  to  fertilize  the  sibling 
branch. 

After  the  last  call  to  UNIFY,  we  can  see  the  FOL  proof  being  produced  by  the  unwinding 
mechanism. 


3. 9. 2.2.  TAUT  and  TAUTEQ. 


These  two  matchers  use  the  FOL  commands  by  the  same  names.  They  take  any  number  of 
VLs  as  optional  arguments.  They  attempt  to  prove  that  the  GOALWFF  follows  tautologically 
from  the  collection  of  facts  attached  to  the  goal  plus  the  VL-tlst  specified  by  the  user. 

The  FOL  command  TAUT  decides  ground  tautologies,  while  TAUTEQ  adds  the  rules  of 
equality.  One  should  bear  in  mind  that  TAUTEQ  is  much  slower  that  TAUT. 

Using  the  op_name  TAUTO  the  user  can  call  both  matchers  at  the  same  time.  In  this  case, 
TAUT  is  Invoked  first  and  the  TAUTEQ  Is  Invoked  if  TAUT  failed. 

<op_name>  :•  TAUT  |  taut  |  TAUTEQ  |  tauteq  |  TAUTO  |  tauto 
<op_info>  :■  OPT[  <VL-list>  ] 

We  shall  rehearse  the  last  example  once  more  in  order  to  show  the  use  of  TAUTEQ. 


Example: 


*****TRY  USING  Al; 
Goal  «2«1«1:  x-X 
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Goal  «2«1«2:  P(x,X) 
*****TRY  1  USING  EQUNIFY; 
3  3x.x-X 
4x-X  (4) 

•****VE  REFL  Xj 

5  P(X,X) 

*****TRY  USING  TAUTEQ  T; 

6  P(x,X)  (4) 

7  x-XaP(x,X)  (4) 

8  3x.(x-XaP(x,X» 

***** 


The  command  "VE  REFL  X",  after  using  EQUNIFY,  is  '  FOL  command.  The  call  to  the  matcher 
TAUTEQ  indicates  that  the  last  line  of  the  proof  must  be  used;  of  course  it  is  also  necessary 
to  use  line  4,  but  GOAL  will  do  that  in  any  case. 


3.Q.2.3.  MONADIC. 


This  matchers  uses  the  FOL  command  by  the  same  name.  Its  syntax  looks  the  same  as 
that  of  TAUT  and  TAUTEQ,  but,  unlike  these,  it  does  not  attempt  to  match  against  the  whole 
collection  of  facts  attached  to  the  goal.  There  are  two  sets  of  reasons  for  this  difference;  we 
shall  discuss  them  below  in  this  section. 

If  the  user  does  not  specify  a  VL-list,  the  matcher  attempts  to  prove  that  the  WFF  is  TRUE 
by  Itself.  Otherwise  it  tries  to  prove  that  it  follows,  by  the  MONADIC  decision  procedure,  from 
the  conjunction  of  those  Vis. 

<op_name>  MONADIC  |  monadic 
<op_info>  OP Tf  <VL-list>  ] 

The  FOL  decision  procedure  MONADIC  was  programmed  by  Bill  Glassmire.  Its  name  refers 
to  the  monadic  predicate  calculus.  The  pure  monadic  predicate  calculus  is  known  to  be  a 
decidable  theory  [Mendelson  1964].  However,  since  FOL  deals  with  theories  other  than  the 
monadic  predicate  calculus,  the  actual  implementation  of  this  command  makes  It  into  a  decision 
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Procedure  for  WFFs  in  universal-existential  prenex  norma I  form6. 

Thus,  if  the  WFF  being  decided  does  not  reduce  to  that  form,  MONADIC  recognizes  it  fails 
out  of  its  scope  and  informs  the  user  accordingly.  This  is  the  first  reason  why  we  do  not  wish 
to  attach  the  whole  list  of  facts  of  the  goal  to  the  VL-llst  given  by  the  user.  For  it  is  likely 
there  will  be  WFFs,  among  the  facts,  that  do  not  reduce  to  universal-existential  prenex  form. 

Fortunately,  if  A  and  B  reduce  to  that  form,  so  does  AaB.  Thus  it  would  be  theoretically 
possible  to  keep  track  of  which  facts  do  reduce  to  it,  and  always  add  those  facts  to  the  VLs 
given  by  the  user  when  calling  the  MONADIC  matcher.  Doing  so  would  greatly  enhance  the 
power  of  this  matcher,  as  well  as  the  power  of  automatic  theorem  proving  strategies  like 
LOGIC.  This  could  be  done  easily  if  we  were  not  running  up  against  the  physical  limitations  of 
our  machine.  MONADIC  uses  an  enormous  amount  of  computing  resources,  and  it  often  causes 
LISP  to  run  out  of  free  storage.  Thus  we  found  that,  if  the  list  of  those  facts  that  do  reduce  to 
the  desired  form  is  passed  to  MONADIC  by  default,  the  automatic  theorem  proving  strategies 
tend  to  abort  most  of  the  time  for  that  reason. 

Now  let  us  rehearse  the  last  example  one  more  time. 


Example: 

*****G0AL  3x.(x-XaP(x,X)); 

Goal  «2:  3x.(x-XaP(x,X)) 

*****TRY  USING  MONADIC; 

The  MONADIC  command  decided  that  this  formula  is  not  valid. 
*****TRY  USING  MONADIC  REFl; 

3  3x.(x-XaP(x,X)) 

***** 


6  BUI  Qlassmlre's  implementation  of  MONADIC  ho*  not  been  documented  end  I  em  not  familiar  with  It.  Richard  Weyhrauch  offered 
the  following  commentary:  "MONADIC  wa*  Implemented  by  Bill  utlng  Quine'*  method  of  reducing  monadic  sentence*  to  sentence* 
of  the  form  VVVV3333  called  variously  "unlv*r*al-*xl*t*ntl*r,  "A£",  or  "V3".  The  decision  procedure  for  these  was  well 
known  In  the  thirties.  MONADIC  actually  uses  the  more  general  decision  procedure  to  decide  V3  formula  that  It  ha*  found. 
Function  symbol*  are  handled  In  some  reasonably  but  ad  hoc  way.  I  am  not  sure  how."  (Personal  communication). 
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3.0.3.  Strategies. 


The  strategies  are  called  using  the  same  syntax  as  the  tactics  and  matchers,  by  the  TRY 
command.  They  effect  calls  to  tactics  and/or  matchers.  They  may  be  very  complex,  or  quite 
simple.  From  the  point  of  view  of  the  GOAL  code,  any  routine  that  after  decomposing  a  goal 
may  attempt  to  either  decompose,  or  match,  any  of  the  subgoals  it  created,  is  to  be  classified 
as  an  strategy.  The  reason  for  this  is  that  calls  to  tactics  and  matchers  are  mediated  by  one 
master  routine  which  can  be  applied  only  to  untried  goals,  thus  being  impossible  to  mediate 
calls  to  entitles  that  coll  tactics  through  the  same  master  routine. 

At  present  we  have  three  strategies,  only  one  of  which  is  a  theorem  prover.  It  is  very 
easy  to  add  others.  We  have  not  done  so  because  one  of  our  aims  was  to  develop  one 
powerful  theorem  proving  strategy  within  the  context  of  FOL  and  GOAL. 


3.9.3. 1.  LOGIC. 


This  is  our  automatic  theorem  prover.  As  It  will  be  described  in  detail  in  a  special  section, 
here  we  shall  only  present  Its  syntax.  The  optional  op_lnfo  field  begins  with  the  word  PLUS 
and  serves  to  add  new  elements  to  the  FACTS  of  the  goal;  when  using  this  switch,  the  user 
does  not  have  control  over  the  assume/ sassume  option;  instead,  the  prepare  mechanism  will 
decide  which  1/Z.s  go  into  the  simpset  In  the  same  manner  It  decides  for  l/Ls  that  are 
generated  by  the  goal  structure. 

<op_name>  :■  LOGIC  |  logic 

<op_info>  :*  0PT[  PLUS  <VL-li$t>  ] 

When  called  on  a  subgoal  (i.e.,  on  a  goal  that  is  not  a  top  level  one),  If  LOGIC  succeeds  In 
proving  it,  it  will  backup  further  in  the  goal  tree,  attempting  to  prove  all  of  its  relatives :  I.e., 
any  unproved  descendants  of  any  one  of  its  ancestors. 


3.O.3.2.  ELIMINATION. 


This  strategy  does  not  attempt  to  prove  anything,  i.e.  it  does  not  call  any  matchers.  It  tries 
to  recursively  decompose  the  WFF  using  the  following  tactics:  VI,  31,  aI,  ■!,  si,  and  CASES. 

There  can  be  no  conflict  of  priorities  between  the  first  five  tactics  above,  for  each  one  of 
the  can  be  applied  only  to  WFFs  whose  main  quantifier  is  the  one  indicated  by  the  name  of 
the  tactic.  However,  there  may  be  a  conflict  with  cases,  for  both  CASES  and  one  of  those 
tactics  can  be  applied  to  the  same  goal.  This  conflict  Is  always  resolved  to  the  disadvantage 
of  CASES. 
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ELIMINATION  does  not  call  the  tactics  until  it  has  checked  that  they  can  be  applied,  that 
is  by  looking  up  the  leading  quantifier  of  the  WFF,  or  by  calling  a  routine  that  checks  for  the 
existence  of  a  disjunctive  assertion  in  the  fact!  1st. 

The  optional  op_info  serves  to  limit  the  depth  of  the  recursion.  If  used,  elimination 
proceeds  at  most  to  the  maximum  depth  Indicated,  down  the  tree,  starting  from  the  goal. 
Otherwise  It  decomposes  it  as  far  down  as  possible. 

<op_name>  ELIMINATION  |  elimination 

<op_info>  OPT[  <DEPTH>  <natnum>  ] 

The  following  examples  are  self-explanatory;  again  we  are  rehearsing  some  of  the 
previous  examples. 


Examples: 


♦♦♦♦♦ABANDON  *1; 

Goal  si:  Vx  y.3z.(Vw.(w<z*(w-xvw-y))AVzl.(Vw.(w<zl«(w-xvw*y)):>zl-z))X 
abandoned. 

♦♦♦♦♦TRY  USING  ELIMINATION; 

Goal  si  si:  3z.(Vw.(w<z«{w-xvw-y))AVzl.{Vw.(w<zl*{w*xvw*»y))3zl-z)) 
Goal  slslsl:  Vw.(w<z«(w-xvw-y))AVzl.(Vw.(w(zl*(w-xvw*«y)>3zl-z) 

Goal  slslslsl:  Vw.(w<z«(w-xvw-y)) 

Goal  *1*1*1«2:  Vzl.(Vw.(w<zl*(w-xvw-y))ozl«z) 

Goal  slslslslsl:  w(z*(w»xvw-y) 

Goal  slslslslslsl:  wCza(w-xvw-y) 

Goal  «l«l*l«l»l*2i  (w«xvw«y):>w(z 
Goal  slslslslslslsl:  w-xvw-y 
Goal  slslsl*l*ls2el:  w(z 
3  w-xvw-y  (3) 

Goal  »lsl*l*l*l*2ttl«l:  w«xswcz 

Goal  *1*1«*1*1*1*2«1*2:  w-yswtz 

Goal  slslslslsls2sl«lsl:  w(z 

Goal  #l*l#i»l*l»2«l*2*l:  w(z 

Goal  slslsls2sl:  Vw.(w<zl»(w-xvw«y)):>zl-z 

Goal  slslsls2slsl:  zl-z 

♦♦♦♦♦RETRY  USING  ELIMINATION  DEPTH  4; 

RETRY  USING  ELIMINATION  DEPTH  4; 

T  A 

A  goal  number  reference  is  required  here. 

♦♦♦♦♦RETRY  «1  USING  ELIMINATION  DEPTH  4; 

Goal  si:  Vx  y.3z.(Yw.(w(z»{w-xvw»y ))aVz  1  ,<Vw.(w(z  1  ■(  w -xvw -y ))sz  1  -z))X 
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abandoned. 

Goal  #1*1:  3z.(Vw.(w<z*(w«xvw-y))AVzl.(Vw.(w<zl«(w-xvw-y))3zl*z)) 
Goal  #1#1#1:  Vw.(w<z»(w«xvw-y)>AVzl.(Vw.{w<zli(w“XVW“y))3zl»z) 
Goal  #1#1*1#1:  Vw.(w<z*(w-xvw-y)) 

Goal  #1#1#1#2:  Vzl.(Vw.(w<zl*(w-xvw-y))3zl"z) 

Goal  #1#1«1#1#1:  w<z*(w-xvw-y) 

Goal  #1«1*1#2«1:  Vw.(w<zl*(w»xvw»y))=zl-z 

***** 


3.O.3.3.  IFCASES. 


This  is  a  special  purpose  strategy  for  conditional  expressions.  Conditional  expressions 
[McCarthy  1963]  are  legal  In  FOL:  there  are  both  IF-WFFa  and  IF-terms.  There  are  two 
special  slmpsets  for  conditional  expressions:  WFFIFTREE  and  ARGIFTREE.  The  first  deals  IF- 
WFFa,  the  second  deals  with  IF-WFFs  and  IF-terms. 

In  the  present  implementation,  the  user  must  specify  a  WFF  as  argument  to  IFCASES.  First 
the  strategy  calls  CASES  on  this  WFF  and  ol  on  both  subgoals;  then  it  calls  the  tactic 
REWRITE  on  both  grandsons  of  the  goal,  making  sure  to  include  in  the  simpset:  WFFIFTREE, 
ARGIFTREE,  and  the  antecedent  of  the  just  effected  ol,  In  each  case  (that  Is,  the  WFF  given 
by  the  user  and  its  negation,  respectively). 

<op_name>  :•  IFCASES  |  ifcases 
<op_info>  :■  <  WFF  > 

A  variation  of  this  strategy  has  been  used  In  the  example  of  the  Takeuchl  function,  that 
is  presented  In  a  separate  chapter. 


4.  EXTENDING  GOAL. 


While  the  previous  chapter  described  GOAL  from  the  user's  point  of  view,  the  purpose  of 
this  chapter  Is  to  Introduce  the  reader  to  the  programming  of  new  operative  elements.  At 
present  this  cannot  be  done  without  considering  the  FOL  code.  However,  the  documentation 
in  the  following  sections  should  be  very  helpful  to  any  one  wishing  to  extend  GOAL.  We  shall 
look  at  some  Internal  aspects  of  the  GOAL  implementation;  in  particular,  at  the  system  that 
controls  the  activity  of  the  operative  elements. 

It  Is  always  difficult  to  present  a  total  system  in  a  linear  manner,  and  even  more  difficult 
for  the  reader  to  find  his  way  through  the  maze.  Necessarily,  this  is  only  a  partial  description; 
a  user  will  still  have  to  look  at  the  code  when  trying  to  program  extensions  to  GOAL.  We  shall 
follow  an  unconventional  approach,  trying  to  present  the  material  In  a  sequence  intended  to 
make  it  easy  to  read.  Thus  we  shall  circle  several  times  over  some  aspects,  gaining  depth 
each  time.  We  shall  begin  with  some  general  information  about  the  GOAL  implementation. 

The  strategies  are  easier  to  program  than  the  other  two  types  of  operative  elements,  and 
they  are  also,  expectedly,  the  most  frequent  and  useful  type  of  extension  that  users  will 
want  to  make.  Strategies  are  easier  than  matchers  and  tactics  because  the  latter  interact 
more  with  the  FOL  routines;  hence  more  knowledge  of  the  FOL  code  Is  required  to  program 
these.  Strategies  are  almost  entirely  contained  In  GOAL;  they  are  not  concerned  with 
unwinding  nor  with  updating  the  goal  structure.  But  they  perform  nevertheless  some  operations 
that  require  some  knowledge  of  the  FOL  implementation:  for  example,  a  knowledge  of  the 
internal  representation  of  wffs  in  FOL  is  needed  in  order  to  determine  which  is  the  leading 
quantifier  of  a  wtf. 

Parts  of  goals  can  be  accessed  using  MLISP  macros  that  bear  the  same  name  as  those 
parts.  Parts  of  WFFs,  and  l/Ls,  are  accessed  using  MLISP  macros  defined  In  the  FOL  rode. 
Readers  desiring  to  do  their  own  strategies  should  look  at  the  MLISP  code  of  the  existing 
operative  elements  In  order  to  get  acquainted  with  these  macros. 


4.1.  The  three  components  of  the  operative  elements. 


With  each  tactic  there  are  three  associated  routines:  the  parser,  the  executor,  and  the 
unwinder.  The  other  two  types  of  operative  elements  do  not  need  an  unwinder,  but  do  have  a 
parser  and  an  executer. 

The  executer  performs  the  required  actions:  In  the  case  of  tactics,  It  creates  subgoals;  for 
matchers,  it  calls  the  FOL  decision  procedures;  and  in  the  case  of  strategies,  It  calls  other 
operative  elements.  The  parser  parses  user's  calls  (by  the  TRY  command)  to  the  operative 
element.  And  the  unwinder,  that  is  automatically  called  when  all  sons  of  a  goal  have  been 
proved,  produces  the  FOL  forward  proof  of  that  goal,  from  the  l/Ls  that  prove  its  sons. 


In  order  to  program  a  new  operative  element,  the  user  has  to  supply  the  executer,  the 
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parser,  and  the  unwinder  if  the  element  is  a  tactic.  It  is  also  necessary  to  provide  a  name  for 
the  atom  that  will  represent  the  new  element,  and  to  call  a  routine  that  Introduces  this 
element  to  the  system;  there  is  one  such  routine  for  each  type  of  operative  element. 


4.2.  The  internal  representation  of  the  operative  elements. 


The  components  of  an  operative  element,  that  is  the  routines  mentioned  in  the  previous 
section,  are  stored  in  the  property  list  of  a  USP  atom  that  represents  the  operative  element. 

The  name  of  this  atom  will  be  referred  to  as  the  standard  name1  of  the  operative  element. 

The  names  of  operative  elements  are  stored  in  the  global  variable  OPELEMLIST.  The  global 
variable  STRATEGYLIST  Is  a  subset  of  OPELEMLIST.  The  routines  that  Introduce  new  operative 
elements  will  refuse  to  introduce  an  element  whose  standard  name  is  already  in  this  first  list. 
However,  they  will  not  check  whether  the  names  of  the  associated  routines  provided  by  the 
user  conflict  with  other  identifier  names  used  in  the  system,  it  is  the  user's  responsibility  to 
make  sure  that  no  names  are  duplicated. 


4.3.  The  control  system. 


In  this  section  we  shall  cover  the  structure  of  the  subsystem  of  GOAL  that  controls  the 
activity  of  the  operative  elements.  This  system  Is  the  core  of  GOAL,  as  well  as  its  only 
extensible  part.  It  is  entered  by  the  TRY  command. 

The  three  routines  associated  with  each  operative  element  do  not  communicate  with  each 
other  directly.  They  are  managed  by  master  routines  that  control  the  operations  of:  parsing, 
execution,  and  unwinding.  These  master  routines  are:  TRY  which  controls  parsing;  TRYING 
which  controls  execution  of  both  tactics  and  matchers,  TRYCMPL  which  controls  execution  of 
strategies,  and  UNWIND,  that  is  called  either  from  TRYING  or  recursively  by  itself,  and  which 
controls  unwinding. 

The  only  one  of  these  master  routines  which  must  be  called  directly  by  the  user  is  TRYING; 
this  Is  the  case  In  user  programmed  strategies.  The  others  are  mentioned  because,  in  order  to 
program  new  operative  elements,  it  is  helpful  to  have  a  general  understanding  of  the  control 
structure.  TRYING  will  be  dealt  with  In  a  special  section.  The  basic  conventions  to  be 
observed  will  be  described  in  the  sections  that  explain  how  to  program  the  different  types  of 
operative  elements. 

The  only  operative  elements  that  can  call  other  operative  elements,  or  themselves 
recursively,  are  strategies.  However,  when  they  call  a  tactic  or  a  matcher,  the  call  must 


1  II  I*  a  ttandard  nama  from  tha  point  of  viaw  of  tha  tyatam,  but  It  doat  not  naad  to  ba  tha  aama  nama  with  which  the  tactic  It 
Invofcad  by  tha  utar  via  tha  TRY  command. 
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always  be  routed  as  a  call  to  TRYING.  We  shall  later  see  In  more  detail  how  to  do  this.  Calling 
any  tactic  or  matcher  directly,  without  mediating  the  call  through  TRYING,  will  always  result  in 
a  fatal  error.  On  the  other  side,  a  strategy  calling  another  strategy  can,  and  should,  make  the 
call  directly  to  the  executer;  thus  the  executer  of  a  strategy  can  recursively,  directly  call 
Itself.  Strategies  can  also  call  PREPARE. 

The  hierarchical  structure  of  this  system  is  shown  in  figure  1.  The  arrows  indicate 
possible  calls  from  one  routine  to  another;  they  do  not  indicate  calls  that  will  always  occur. 
Possible  recursions  are  Indicated  accordingly. 


4.3.1.  FIGURE  Is  Structure  of  TRY. 
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4.4.  Types  of  variables. 


The  reader  must  now  become  aware  of  the  important  distinction  between  the  two  following 
types  of  variables  that  are  used  by  the  operative  routines  of  GOAL:  goa/s  and  threads. 

A  variable  of  type  goal  Is  a  pointer  to  a  goal-,  threads  are  described  in  the  next  section. 

The  goal  structure  is  generally  updated  using  the  LISP  functions  RPLACA  and  RPLACD.  Thus 
any  local  variables  of  type  thread  or  goal  will  undergo  the  same  updates. 


4.4.1 .  Threads. 


Most  of  the  time,  the  GOAL  routines  are  operating  on  some  goal.  However,  they  often 
need  to  be  able  to  find  its  parent,  or  to  detect  whether  it  is  a  top  level  goal.  Sometimes  it  is 
also  necessary  to  determine  whether  a  goal  Is  an  ancestor  of  another. 

For  these  reasons  we  have  chosen  threads  as  the  most  common  way  of  pointing  to  goals. 
Many  routines  pass  threads  to  each  other  as  arguments,  but  some  take  just  a  goal  as 
argument. 

The  thread  associated  with  a  goal  is  a  list  whose  car  is  the  goal,  and  whose  cdr  is  the 
thread  of  Its  parent.  Thus  the  goal  of  a  thread  is  the  car  of  the  thread.  The  last  element  of  a 
thread  is  always  the  global  variable  GOALLIST,  which  is  the  list  of  top  level  goals. 


4.4.2.  The  three  defaults. 


The  global  variables  that  identify  the  three  defaults  discussed  in  chapter  3  are  called: 
1 ASTGOALTHREAD,  NEXTGOALTHREAD,  and  CURRENTGOALTHREAD. 

The  user  should  never  assign  values  to  these  three  variables.  They  are  automatically 
reset  by  the  system.  However,  users  may  want  to  use  local  variables  to  keep  track  of 
threads  in  a  strategy2. 

A  thread  is  empty  If  it  is  a  list  of  only  one  element,  namely  GOALLIST.  The  macro 3 
EMPTYTHREAD(THREAD)  checks  whether  a  thread  Is  empty.  The  cdr  of  the  thread  of  a  top 
level  goal  is  empty. 

The  routine  SUBTHREAD(THR1  ,THR2)  checks  whether  the  goal  of  THR1  is  an  ancestor  of  the 
goal  of  THR 2.  This  is  equivalent  to  THR1  being  equal  to  an  end  segment  of  the  list  THR2. 

2  for  Instance,  the  strategy  LOGIC  usos  a  queue  of  threads  in  order  to  Implement  a  breadth  first  search. 

3  Here  the  word  macro  refers  to  a  MLISP  macro.  A  number  of  macros  have  been  used  to  name  the  different  parts  of  goals,  and 
for  some  other  purposes.  They  are  expanded  when  the  MLISP  code  is  translated  Into  UCI-LISP. 
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4.4.3.  Status  checking. 


A  proved  goal  has  a  structure  totally  different  from  that  of  an  unproved  one.  Trying  to 
access  parts  of  a  proved  goal  as  if  it  were  unproved  will  result  in  fatal  errors.  Also,  a  tried 
goal  cannot  be  tried  again  by  any  operative  element  unless  it  has  previously  been  abandoned. 

Thus,  when  programming  strategies  it  may  be  necessary  to  check  the  status  of  a  goal. 
There  are  the  following  status  checking  predicates:  the  MLISP  macros  PROVED  and  UNTRIED, 
and  the  function  TRIED.  All  of  these  take  only  one  argument,  of  type  goal. 


4. 4.3.1.  Abandoning. 


Abandoning  goals  can  be  done  from  within  strategies  using  the  function  ABNDN(THR.PSWT). 
The  first  argument  is  a  thread.  The  second  a  prlntswitch-.  If  this  switch  is  NIL,  then  no 
message  will  be  printed  when  the  goal  is  abandoned. 


4.6.  Rules  for  programming  new  operative  elements. 


Now  we  shall  outline  the  conventions  for  programming  the  different  components  of 
operative  elements.  This  description  cannot  be  exhaustive 

We  shall  begin  with  the  esiest,  namely  the  parsers. 

In  each  case,  we  shall  end  the  section  with  an  example. 


4.6.1 .  Parsers. 


Parsers  take  only  one  argument  of  type  goal.  The  rules  for  the  returned  expression  will  be 
described  below. 

Let  us  recall  that  the  syntax  of  the  TRY  command  is: 

TRY  [OPT  ALT[  <goalref>  |  natnum  ]  ]  USING  <op_name>  <op_info>  ; 

The  parsers  parse  <op_nat,<e>  and  <op_lnfo>.  The  rest  of  the  above  syntax  Including 
the  semicolon  Is  not  parsed  by  the  parser.  Thus  it  is  most  important  that  the  higher  level 
parsing  routines  expect  a  semicolon,  after  the  parser  returns  control. 

The  syntax  for  the  <op  name>  and  the  <op  inf o>  is  defined  by  the  user  In  the  act  of 
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programming  the  parser.  The  <op_name>  is  usually  an  alternative  of  twr  words  (i.e.,  upper  or 
lower  case).  The  <op__info>  may  be  more  involved;  for  instance,  in  the  case  of  the  REWRITE 
tactic,  the  <op_info>  may  recognize  a  FOL  expression  for  a  slmpset  and  call  the  FOL  routine 
SIMPSETEXPR  that  constructs  the  internal  representation  of  a  simpset. 


4.6.1. 1.  The  expression  returned  by  parsers. 


1)  If  the  parser  does  not  recognize  the  <op_name>,  then  it  must  return  NIL. 

2)  If  the  parser  recognizes  the  <op_name>,  it  proceeds  to  parse  the  <op _ lnfo>. 

3)  If  the  scanned  expression  does  not  conform  to  the  syntax  for  the  <op _ info>,  the 

system  must  pop  up  to  the  top  level  of  FOL,  while  normally  Issuing  some  error  message.  There 
are  various  ways  of  doing  this,  which  will  be  illustrated  in  the  examples;  the  FOL  routine 
ENDM  is  very  useful  for  poping  up. 

4)  If  it  is  detected  at  parse  time  that  the  operative  element  cannot  be  applied  to  the  goal, 
then  return  a  LISP  atom.  This  atom  will  be  considered  to  describe  the  name  of  the  element 
and  will  be  printed  in  a  message  by  the  TRY  command. 

6)  Successful  parsing:  a  list  must  be  returned;  the  first  element  must  be  the  standard 
name  of  the  operative  element  (i.e.  the  atom  that  represents  this  element  Internally).  The 
following  elements  of  the  list  are  going  to  be  the  additional  arguments  taken  by  the  executor, 
If  any;  this  point  requires  some  further  explanation. 

We  shall  see  that  the  first  two  arguments  of  any  executor  are:  the  thread  of  the  goal,  and 
a  prlntswltch.  Some  executors  take  additional  arguments;  these  additional  arguments  are  to 
be  passed  in  the  list  returned  by  the  parser,  and  must  be  in  the  same  order. 

Thus,  if  the  executer  takes  only  the  two  standard  arguments,  the  parser  must  return  the 
standard  name  consed  with  NIL.  if  the  executer  takes,  say,  four  arguments,  the  parser  must 
return  a  list  of  three  elements;  the  second  and  third  elements  of  this  list  will  be  the  third  and 
fourth  arguments  taken  by  the  executer. 


4.6.1. 2.  Examples  of  parsers. 


We  shall  now  look  at  the  MLISP  code  of  several  parsers  and  comment  them. 
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4.6.1. 2.1.  Conjunction  rule:  a|. 


EXPR  PARSAND(G); 

IF  CHECKK’AI/ai.’TA)  THEN  IF  MAINSYM<goalwff(G))-7A  THEN  <7a|>  ELSE  ’TaI  ; 


The  FOL  routine  CHECK!  checks  for  the  occurrence  of  the  token:  "Al"  or  "al"  or  "Al".  The 
FOL  MLISP  macro  MAINSYM  returns  the  leading  connective  of  a  WFF.  The  GOAL  MLISP  macro 
goalwff  returns  the  goalwff  of  a  goal.  The  standard  name  of  this  tactic  is  the  quoted  atom 
"Al". 


Thus  this  parser  returns:  NIL  if  the  <op_name>  Is  not  recognized,  the  quoted  atom  "Al"  if 
the  tactic  cannot  be  applied  to  the  goal,  and  the  standard  name  "aI"  consed  with  NIL  if  it  can. 
The  <op_lnfo>  for  this  tactic  is  nil. 

In  the  second  case,  the  TRY  command  will  issue  the  following  message: 

"The  tactic  Al  can’t  be  applied  to  goal ...  ” 

and  then  it  will  display  the  goal. 

Notice  that  there  is  no  check  for  a  semicolon  in  this  parser;  the  command  Is  expected  to 
end  here,  and  the  check  for  the  ending  semicolon  is  performed  at  a  higher  level. 


4.6.1. 2. 2.  Disjunction  rule:  vl. 


EXPR  PARSOR(G:SP); 

IF  CHECKK’ORI.'ori,’?v)  a  (SP«-NATNUM«0)  THEN 
IF  MAINSYM(goalwff(G))»’?v  THEN 

IF  (SP-1)  v  SP-2  THEN  <’?vl,SP> 
ELSE  PARSORMSGO 
ELSE  7vl  ; 


SP  Is  here  a  local  variable  to  hold  the  <op_info>,  which  must  be  1  or  2,  depending  on 
which  one  of  the  two  disjuncts  will  become  the  new  subgoal.  NATNUM#  is  a  FOL  routine  that 
expects  a  natural  number  and  pops  up  to  the  top  level,  while  issuing  an  error  message,  if 
anything  else  is  encountered. 

Thus  this  parser  first  checks  that  the  <op_info>  is  a  natural  number.  If  It  is  not,  it  will 
pop  up  to  the  top  level  and  the  error  message  will  be  the  standard  FOL  message  that 
indicates  the  type  of  token  expected,  with  an  arrow  pointing  to  It.  However,  If  a  natural 
number  Is  encountered,  this  parser  will  perform  a  second  check  to  determine  that  it  is  1  or  2; 
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this  check  comes  after  examining  the  leading  quantifier  of  the  goalwffi  admittedly,  the  order 
of  this  checks  could  be  somewhat  different. 

In  case  of  successful  parsing,  the  returned  expression  is  a  list  of  two  elements.  The 
second  element,  SP,  will  be  passed  as  the  third  argument  to  the  executer  of  this  tactic,  which 
takes  exactly  three  arguments. 

PARSORMSG  is  a  routine  that  prints  an  error  message,  specifically  for  this  parser.  The  user 
can  add  such  routines  to  enhance  the  quality  of  error  messages  in  the  parsers.  We  can  learn 
something  from  the  code  of  PARSORMSG. 


EXPR  PARSORMSGO; 

BEGIN  TERPRIO; 

PRINCCThe  argument  to  PARSOR  must  be  1  or  2.“); 

ENDMOj 

END; 


We  see  that  PARSORMSG  does  a  carriage  return,  prints  a  message,  and  then  it  calls  the 
FOL  routine  ENDM. 

ENDM  is  a  FOL  routine  that  ends  scanning  of  a  command  line  and  pops  up  to  the  top  level 
of  FOL. 


4.6.1. 2.3.  The  rule  of  CASES. 


This  is  a  more  complicated  parser. 


EXPR  PARSECASES(G); 

BEGIN  NEW  X; 

IF  TK2a<’CASES,’ cases)  THEN 

IF  TK-’?i  THEN  IF  X«-EXISTORASSU(G,’?v  )  THEN  RETURNKCASES  ,X>) 

ELSE  CASEPARSEMSG3("  disjunction",’CASES) 

ELSE  IF  X«-WFF»(NIL)  THEN  RETURN(<’CASES  ,X>) 

ELSE  IF  X«-VL**(NIL)  THEN  IF  MAINCONN(WFFOF(X),’?v  ,NIL,T) 

THEN  RETURN(<’CA$ES  ,X>) 

ELSE  CASEPARSEMSG2(CAR  X,?v) 

ELSE  CASEPARSEMSG1  (’CASES); 

RETURN(NIL); 

END; 

The  FOL  routine  TK2Q  is  used  to  parse  an  alternative  of  two  tokens. 

The  global  variable  TK  also  belongs  to  FOL;  at  any  time  during  command  scanning,  it 


/•*.'*  .  *  .*• 
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contains  the  next  token  in  the  input  stream;  thus  the  condition  "  IF  TK='?;  11  checks  whether 
the  next  token  is  a  semicoion  but  it  does  not  perform  scanning  of  this  token;  this  is  important, 
because  scanning  would  advance  the  scanner,  and  we  know  that  the  parser  must  stop  short 
of  the  command  closing  semicolon. 

This  check  for  the  semicolon  is  done  because  the  <op_info>  for  this  tactic  Is  optional,  if 
no  <op__lnfo>  is  given,  the  parser  calls  EXISTORASSU  to  determine  whether  among  the  facts 
of  this  goal  there  is  some  disjunction.  EXISTORASSU  is  rather  involved  and  will  not  be 
presented  here. 

WFF*  and  VL««  are  FOL  parsing  routines  that  recognize  WFFs  and  VLs,  respectively. 


4.6.1. 2. 4.  The  tautology  matcher. 


We  also  show  the  code  of  the  parser  that  combines  the  TAUT  and  TAUTEQ  rules  of  FOL, 
because  the  code  of  the  corresponding  executer  will  be  shown  in  a  later  section. 


EXPR  PARSETAUT(G); 

IF  TKZfflT TAUT  ,  ’taut  )  THEN  RETURNf  <  ’TAUT,  3,  VLLISTefNIL)  ,NIL>  ) 

ELSE  IF  TK2®( ’TAUTEQ  ,  ’tauteq  )  THEN  RETURN*  <  ’TAUT  ,  4,  VLLIST»(NIL)  ,NIL>  ) 
ELSE  IF  TK2ffl(’TAUT0  ,  ’tauto  >  THEN  RETURN(  <  ’TAUT  ,  5,  VLLISTe(NIL)  ,NIL>  ); 


4.6. 1.2.6.  The  elimination  strategy. 


The  following  is  another  example  of  an  interface  between  a  parser  and  an  executer.  The 
executer  of  this  strategy  will  be  shown  later. 


EXPR  PARSELIM(G:DEPTH);  IF  TOffiCELIMINATION/elimination)  THEN 
<’ELIM  ,  IF  TK2ffi(’DEPTH, ’depth)  THEN 

IF  DEPTH«-NATNUM®0  THEN  DEPTH  ELSE  ENDMO  ELSE  1000  >  ; 


4.6.2.  Executers  in  general. 


The  first  argument  of  any  executer  is  the  thread  of  the  goal,  and  the  second  argument  Is  a 
prlntswitch.  Additional  arguments  are  optional.  If  the  prlntswltch  is  NIL,  printing  of  the 
generated  subgoals  would  be  inhibited. 
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The  executers  for  the  three  types  of  elements  perform  different  functions  and  will  be 
described  separately.  However,  the  executers  of  tactics  and  matchers  have  more  in  common 
than  those  of  strategies.  The  later  are  safer,  and  in  a  sense  easier,  to  program,  because  they 
do  not  interact  with  FOL. 


4.6.2. 1.  The  master  routines. 


Calls  to  the  executers  of  tactics  and  matchers  are  mediated  by  TRYING,  and  they  cannot 
be  called  directly  by  any  other  routine.  The  MUSP  code  of  TRYING  follows.  When  the  tactic  is 
called  from  the  TRY  command,  the  whole  expression  returned  by  the  parser  will  be  passed  as 
the  argument  X  to  TRYING.  The  conventions  for  this  expression  were  outlined  in  the  previous 
sections. 


EXPR  TRYING(X,PSWT,THREAD,PREP); 

BEGIN  NEW  OLOVL.REAS.G; 

G  *-  goal(THREAD); 

IF  PREP  THEN  PREPARE(G,PSWT); 

IF  REAS  -  APPLY(GET(CAR  X.’EXECUTER), THREAD  CONS  (PSWT  CONS  CDR  X)) 

THEN  IF  REAS  -  T  THEN  MATCHWORK(THREAD, PSWT, CAR  PROOF) 

ELSE  CURRENTGOALTHREAD  -  THREAD 
ALSO  udreason(G.REAS); 

RETURN  REAS; 

END; 

The  executers  of  strategies  can  be  called  directly  by  another  strategy,  or  recursively  by 
Itself.  Thus  the  user  does  not  need  to  call  TRYCMPL.  The  TRY,  command,  however,  uses 
TRYCMPL  In  order  to  mediate  calls  to  the  executers  of  strategies.  The  code  of  TRYCMPL 
follows. 


EXPR  TRYCMPL(X, PSWT, THREADiG, REAS); 

IF  REAS«-APPLY(GET (CAR  X.’EXECUTER), THREAD  CONS  (PSWT  CONS  CDR  X)) 
THEN  IF  PROVED(G<-goal(THREAD)) 

THEN  RPLACDICDR  G, ’PROVED?  ?  BY?  CONS  REAS) 

ELSE  REAS; 


The  code  of  these  two  routines  was  given  here  only  for  ease  of  reference.  The  user  need 
not  be  concerned  with  this  code,  but  looking  at  it  may  make  ft  easier  to  understand  the 
conventions  outlined  in  this  chapter. 
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4.6.2.2.  The  expression  returned  by  executors. 


The  expression  returned  by  executers  of  tactics  and  matchers  is  of  paramount  importance. 
It  must  obey  the  following  rules.  Failure  to  follow  these  rules  will  cause  fatal  errors. 

1)  NIL  must  be  returned  if  the  tactic  could  not  be  applied  to  the  goal,  or  If  the  matcher 
failed.  In  this  case,  nothing  happens  to  the  goal  structure.  It  Is  a  "no-operation". 

2)  The  LISP  atom  T  must  be  returned  if  a  match  occurred;  this  condition  applies  to  the 
matchers  and  to  some  tactics  that  sometimes  match  a  goal  (i.e.,  REWRITE,  SIMPLIFY). 

3)  In  the  case  of  successful  subgoal  creation  by  a  tactic,  the  expression  returned  must  be 
the  REASON:  this  expression  is  going  to  be  stored  as  the  goal  REASON,  by  the  master  routine 
TRYING,  and  the  unwinder  of  the  tactic  will  use  this  information  at  a  later  time.  (The  user  that 
programs  a  new  tactic  has  complete  freedom  to  choose  this  expression,  as  long  as  It  is 
neither  NIL  nor  T.  The  unwinder  must  be  designed  accordingly.) 

In  the  case  of  strategies,  the  returned  expression  is  not  of  the  same  importance.  Only 
minor  errors  will  result  from  returning  a  different  expression.  However,  In  order  for  error 
messages  to  work  properly,  it  is  convenient  to  return  NIL  if  the  strategy  did  not  achieve 
anything  at  all  (i.e.,  no  tactic  or  matcher  could  be  successfully  applied),  and  otherwise  a 
quoted  expression  like  the  name  of  the  strategy.  This  quoted  expression  will  be  used  as 
follows  by  TRYCMPL:  if  the  goal  was  proved,  It  will  append  the  information:  "PROVED  BY  " 
followed  by  the  quoted  expression,  and  the  only  effect  will  be  its  appearance  when  the  user 
displays  the  goal  with  the  SHOWGOAL  command. 


4.6.2. 3.  Executers  of  tactics. 


The  executor  of  a  tactic  must  update  the  goal  structure  by  adding  the  newly  created 
subgoals,  as  sons  to  the  goal  being  tried. 

The  addition  of  subgoals  is  accomplished  by  invoking  the  routine  ADDSUBGOALS-,  the  first 
argument  passed  to  this  routine  must  be  the  thread  of  the  goal  being  tried,  and  the  second 
must  be  the  number  of  sons  to  be  created. 

Most  of  the  parts  attached  to  goals  are  passed  down,  hereditarily,  to  their  sons  which  are 
created  by  ADDSUBGOALS.  But  the  goatwff  must  be  updated,  in  every  case,  using  the  macro 
udgoalwff.  Some  tactics  update  other  parts,  for  instance:  the  quantifier  rules  update  the 
quantelimlist,  and  the  tactic  ol  updates  the  factiist. 

We  shall  see  here  just  two  simple  examples:  the  executers  for  aI  and  vl. 
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EXPR  TRYANtXTHREAD,PSWT:G,W); 

IF  MAIN$YM(W*-goalwff(G«-goal(THREAD)))«'?A 
THEN  ADDSUBG0ALS(THREAD,2) 

ALSO  udgoalwf f (son<  1  ,G),LFAND(W)) 

ALSO  udgoalwf <(son(2,G),RTAND(W)) 

ALSO  (IF  PSWT  THEN  PRINTOESC(THREAD)) 
ALSO  RETURN(<’?aI  >); 


EXPR  TRYOR(THREAD,PSWT,$P:G,W); 

IF  MAINSYM(W*-goalwff(goal(T‘'ciEAD)))“’?v 
THEN  G«-ADDSUBGOALS(THREAD,l ) 

ALSO  udgoalwff(G,IF  SP-1  THEN  LFOR(W)  ELSE  RTOR(W)) 
ALSO  (IF  PSWT  THEN  PRINTDESC(THREAD)) 

ALSO  RETURN(<’?vl  ,SP>); 


We  shall  see  the  unwinders  of  these  two  tactics  in  the  section  on  unwinders.  The 
unwinder  UNWOR  will  use  the  information  stored  in  the  goal  REASON  by  TRYOR. 


4. 5.2.4.  Executers  of  matchers. 


The  executer  of  a  matcher  must  call  some  FOL  decision  procedure;  if  the  procedure 
decides  that  the  WFF  of  the  goal  is  TRUE,  then  we  have  a  match.  In  this  case  the  matcher 
must  add  the  WFF  as  a  new  l /L  to  the  FOL  PROOF,  and  then  return  the  atom  T.  At  this  point, 
the  last  line  of  the  PROOF  must  be  the  VL  that  matched  the  goal  being  tried. 

These  operations  are  done  by  calling  the  FOL  routines  that  create  VLs.  This  requires  some 
understanding  of  the  FOL  code  that  goes  beyond  the  scope  of  this  chapter4. 

For  the  sake  of  completeness  we  show  here  the  code  of  a  matcher,  that  combines  both 
TAUT  and  TAUTEQ.  It  attempts  to  match  the  goal  WFF  against  the  list  of  facts  of  the  goal  plus 
any  list  of  VLs  given  by  the  user  when  calling  this  matcher  using  the  TRY  command.  The  user 
given  VLs  are  passed  in  the  parameter  VLLIST.  TAUTMNG  is  a  FOL  routine  that  decides 
tautologyhood,  and  NEWSTEP  is  the  FOL  routine  that  creates  a  new  VL;  care  must  be 
exercised  when  using  NEWSTEP,  because  there  are  several  ways  of  Invoking  It  depending  on 
the  expressions  returned  by  the  different  FOL  decision  procedures. 


EXPR  TRYTAUT(THREAO,PSWT,A, VLLIST, TEST);  VTEST  to  see  if  apply  EQUTEST2  X 
X  A  is  3  or  A  depending  on  whether  TAUT  or  TAUTEQ  is  to  be  used.  However, 
if  A  is  5  then  both  TAUT  and  TAUTEQ  are  tried.  X 
BEGIN  NEW  W,X,G,AL; 

W*-goalwff(G*-goal(THREAD)); 

IF  AL«-facts(G)  THEN  AL«-C0R  AL; 


4  Admittedly  this  I*  not  an  Ideal  situation.  But  we  shall  elaborate  on  the  remedies  In  the  final  chapter  of  thle  thesla. 
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IF  TEST  A  (A-4)  A  {-EQUTE$T2(W  CONS  AL))  THEN  A<-3; 

IF  X*-TAUTMNG<A,  W,?»APPEND<AL,VLLI$T))  THEN  NEWSTEPvX) 

ALSO  RETURN(T); 

IF  PSWT  THEN  TRYTAUTMSG(A)  ALSO  RETURN  NIL; 

END; 


4. 6.2.6.  Executers  of  strategies. 


The  executor  of  a  strategy  sequences  the  calls  to  the  executers  of  other  operative 
elements. 

It  calls  the  executers  of  tactics  and  matchers  indirectly,  but  those  of  strategies  directly. 
In  each  case,  the  user  must  make  sure  that  the  appropriate  arguments  are  being  passed  to 
each  executor. 


4. 6.2. 6.1.  Example:  elimination. 


EXPR  TRYELIMITHREAD, PRINT SWITCH, DEPTH); 

IF  ?*GREAT(DEPTH,0)  THEN 
BEGIN  NEW  S.DESC.G; 

IF  ((S«-KMINSYM(goalwff(G*-goal(THREAD))))  <  <’?V  ,’?3  ,’?A  .To  ,*?•  >) 

THEN  S«-GET(S,’TACTICALL) 

ELSE  IF  S«-EXISTORASSLKG,,?v  )  THEN  S«-<’CASES  ,S> 

ELSE  RETURN  NIL; 

IF  TRYING<S,PRINTSWITCH, THREAD, T) 

THEN  DESC  -  REVERSE(descendants(G)) 

ALSO  BEGIN 

L;  TRYELIM(CAR(DESC)  CONS  THREAD, PRINTSWITCH, DEPTH- 1 ); 
IF  DESC*-CDR  DESC  THEN  GO  L; 

END 

ALSO  RETURNCELIM  ) 

ELSE  RETURN  NIL; 

END; 


Notice  that  the  strategy  does  not  reset  any  of  the  defaults.  For  this  particular  strategy, 
the  calls  to  the  executers  of  the  five  tactics:  VI,  31,  a|,  s|,  and  ■!,  have  been  attached  to  LISP 
atoms  In  order  to  make  the  code  compact.  The  GOAL  routine  EXfSTORASSU  determines 
whether  a  goal  has  a  disjunction  among  its  facts. 

First  it  Is  determined  whether  elimination  can  be  applied  any  further,  and  the  appropriate 
colling  expression  is  assigned  to  the  variable  S.  The  appropriate  tactic  is  then  called,  and 
TRYELIM  calls  itself  recursively  on  the  sons,  thus  expanding  the  tree  depth  first. 
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4.6.2.S.2.  Example:  LOGIC. 


We  also  show  here  the  code  of  LOGIC,  without  comments.  This  strategy  will  be  discussed 
extensively  and  a  higher  level  description  of  its  heuristics  will  be  presented  in  the  chapter  on 
automatic  theorem  proving. 


EX  PR  TRYLOGIC(THR,PSWT,FCL); 

BEGIN  NEW  THRQUEUE, G, THREAD, FAILQ, PASS.PREP.S.D, TEMP, N, I, SX.THl.OLFQ.LFQ; 
G-goal(THREAD-THR);  PASS- 1  ;OLFQ-0; 

IF  FCL  THEN  addonefact(G, ’PROVED  CONS  FCL); 

SRCH;  IF  MATCHSEARCH(THREAD,T)  THEN  GO  MTCH; 

IF  T-(PREP-TRYING(<’SIMPLIFY,NIL>,P$WT, THREAD, NIL))  THEN  GO  MTCH 
ELSE  IF  PREP  THEN  PREP-NIL  ALSO  GO  DS; 

IF  simpsetaddflag(G)  THEN 

IF  T-(PREP-TRYING{ <’REWRITE,T, NIL, «NIL,NIL»>,P$WT, THREAD, NIL))  THEN  GO  MTCH 
ELSE  IF  PREP  THEN  PREP-NIL  ALSO  GO  DS; 

GRIND;  PREP-NIL; 

IF  -<X-TRYING(<’SIMPLIFY,NIL>,PSWT, THREAD, NIL))  THEN 
IF  QUANT(S-MAINSYM(gOalwff(G))) 

THEN  TRYING(GET(S1,TACTICALL),PSWT,THREAD,NIL) 

ELSE  IF  simpsetaddflag(G) 

a  (X  -  TRYINGf  <’REWRIT£,T, NIL, «NIL,NIL>»,P$WT, THREAD, NIL)) 

THEN  {  IF  X-T  THEN  GO  MTCH  ) 

ELSE 

(  IF  S  -  ’?o  THEN  PREP-T  ALSO  S-<’?al> 

ELSE  IF  S  <  <’?a  ,'?£  >  THEN  S-GET(S.’TACTICALL) 

ELSE  IF  S-EXISTORASSU(G,’?v  )  THEN  S-<’CASES  ,S> 

ELSE  FAILQ-THREAD  CONS  FAILQ  ALSO  GO  L2  ) 

ALSO  TRYING(S.PSWT, THREAD, NIL) 

ELSE  IF  X-T  THEN  GO  MTCH; 

DS;  N-LENGTH(D-descendants<G»;  1-1  ;  SUC-NIL;  TEMP-NIL; 

LUP;  S-$on(l,G); 

IF  MATCHSEARCH(TH1-S  CONS  THREAD, PREP)  THEN  SX-T 

ELSE  TEMP-TH1  CONS  TEMP; 

IF  ?*GREAT(N,I)  THEN  1-1+ 1  ALSO  GO  LUP; 

IF  SX  THEN  IF  ?*GREAT(N,2) 

THEN  THRQUEUE-?*APPEND<TEMP, THRQUEUE) 

ELSE  GO  MTCH 

ELSE  THRQUEUE-?*APPEND(THRQUEUE,TEMP); 

L2;  IF  THRQUEUE  THEN  THREAD-CAR  THRQUEUE  ALSO  THRQUEUE-CDR  THRQUEUE 
ALSO  IF  UNTRIED<G-goal(THR£AD))  THEN  IF  ATOM(addedfacts(G))  THEN  GO  GRIND 

ELSE  GO  SRCH 

ELSE  GO  L2; 

TERPRIO; 

IF  NULL(FAILQ)  THEN  PRINCCStrange  behavior  of  LOGIC:  failqueue  is  empty!") 

ALSO  RETURN  NIL; 

PRINCCWe  have  a  failqueue  of  length:  ");PRINC(LENGTH{FAILQ»; 

TEMP-NIL;  PASS-PASS+1; 

L3;  IF  FAILQ  THEN  THREAD-CAR  FAILQ  ALSO  FAILQ-CDR  FAILQ 
ALSO  (  IF  UNTRIEDfG-goaKTHREAD)) 

THEN  IF  addedfacts(G)  THEN  T HRQUE UE-T HREAD  CONS  THRQUEUE 
ELSE  TEMP-THREAD  CONS  TEMP  ) 
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ALSO  GO  L3j 
TERPRIO; 

IF  OLFQ*=(LFQ«-LENGTH(THRQUEUE)) 

THEN  PRINC("Failure:  can’t  prove  anything  on  failqueue.")  ALSO  RETURN  NIL 
ELSE  PRINCCStarting  a  new  ") 

ALSO  PRINC(PASS)  ALSO  PRINC("-th  pass  on  new  queue  of  length:  ") 

ALSO  PRINC(OLFQ«-LFQ)  ALSO  FAILQ«-TEMP  ALSO  GO  L2; 

MTCH;  IF  EMPTYTHREAD(NEXTGOALTHREAD)  THEN  TERPRIO  ALSO  PRINCCLOGIC  SUCCEEDED!") 

ELSE  G«-goal(THREAD«-NEXTGOALTHREAD)  ALSO  GO  SRCH; 

RETURN  ’LOGIC  CONS  FCLj 
END; 


The  routine  MATCHSEARCH  is  used  by  LOGIC  to  try  out  all  match  possibilities.  However,  the 
MONADIC  matcher  could  be  tried  against  some  of  the  facts.  This  is  not  done  because  it  often 
causes  the  system  to  run  out  of  storage  space. 


EXPR  MAT CH$EARCH(THREAD,PREP:W); 

TRYING(<’UNIFY  lNIL>,NIL,THREAD,PREP) 

v  TRYING(<’TAUT  ,  3,  NIL,NIL>, NIL, THREAD, NIL) 
v  (IF  MONASFLAG  a  QUICKTEST(W<-goalwff(goal(THREAD)),NIL) 
THEN  TRYING(<’MONADIC, NIL, T,NIL>, NIL, THREAD, NIL)  ) 
v  TRYING(<’EQUNIFY>, NIL, THREAD, NIL) ; 


In  order  to  make  this  example  complete,  we  also  show  the  code  of  the  corresponding 
parser. 


EXPR  PARSELOGIC(G); 

IF  TK2ffi(’LOGIC, ’logic)  THEN 

<  ’LOGIC  ,IF  TOsX’PLUS.’plus)  THEN  VLLIST«()>; 


4.6.3.  Unwinders. 


Only  tactics  have  unwinders.  The  unwinder  reads  the  unwinding  information  stored  in  the 
goal  REASON,  obtains  the  l/Ls  of  the  proven  sons  of  the  goal,  reconstructs  the  expression  that 
must  be  passed  to  NEWSTEP  in  order  for  the  new  I /L  to  be  created,  and  returns  this 
expression  without  calling  NEWSTEP. 

The  master  routine  UNWIND  controls  unwinders,  and  this  master  routine  is  going  to  pass 
the  returned  expression  to  NEWSTEP.  Thus,  the  convention  to  be  followed  Is  that  the 
unwinder  returns  the  expression  that  needs  be  passed  to  NEWSTEP  In  order  for  the  new  proof 
step  to  be  created. 
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As  examples,  we  show  the  code  of  the  unwinders  of  the  tactics:  aI,  and  vl.  In  these 
examples,  the  macro  vlofpg  accesses  the  I /L  of  a  proved  goal.  The  second  example 
illustrates  the  use  of  the  goal  REASON,  which  is  accessed  with  the  macro  reason(G),  in  order 
for  the  unwinder  to  obtain  the  unwinding  Information. 

The  rather  incomprehensible  code  of  both  unwinders  is  due  to  the  FOL  system.  We  shall 
elaborate  more  on  this  problem  in  the  conclusion  of  this  thesis. 


EX  PR  UNWANDfG); 

BEGIN  NEW  X,Y; 

DEPLIST«-DEPOF(X«-vlofpg(son<  1  ,G)))  UNI0N2  DEPOF(Y«-vlof pg(son(2,G)»; 
RETURN  (<goalwff(G),<THISLINE,’Al?  ,<’LIST&,CAR(X),CAR<Y>>»)s 
END; 


EXPR  UNWOR(G); 

BEGIN  NEW  X.W; 

DEPUST«-OEPOF(X«-vlof pg(son(  1  ,G)»  ; 

W«-goalwff(G); 

RETURN  (<goalwff(G),<THISLIN£,’vl?  , 

IF  CADR(reason(G))-l  THEN  <’0I&,  NUMOF(X),’WFF&  CONS  RTOR(W)> 
ELSE  <’OI&,’WFF&  CONS  LFOR(W),NUMOF(X)>»); 

END; 


4.6.  Introducing  a  new  element  to  GOAL. 


After  programming  a  new  operative  element,  the  user  must  Introduce  it  to  the  system  and 
then  load  the  new  routines. 

The  Introduction  is  accomplished  by  calling  a  GOAL  routine  that  makes  the  components  of 
the  element  known  to  GOAL. 

The  following  three  examples  are  self-explanatory. 


NEWTACTIC  (  *?Al ,  ’PARSAND  ,  ’TRYAND  ,  ’UNWAND  ) ; 
NEWMATCHER(  ’TAUT  ,  ’PARSETAUT  ,  TRYTAUT  ) ; 
NEWSTRATEGYf  ‘LOGIC  ,  ’PARSELOGIC  ,  ’TRYLOGIC  ) ; 
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In  each  case  the  first  argument  is  the  standard  name.  The  associated  routines  will  be 
stored  in  the  property  list  of  that  atom. 


4.7.  Conclusion. 


In  this  chapter  we  have  presented  some  documentation  for  the  would-be  hackers  of  GOAL. 
We  may  conclude  that  the  programming  of  new  strategies  should  be  encouraged,  while  the 
programming  of  new  tactics  and  matchers  will  remain,  for  the  time  being,  a  ground  reset  ved  for 
hardy  souls.  This  situation  may  change  when  FOL  has  been  redesigned,  as  we  shall  attempt  to 
show  in  the  final  chapter  of  this  thesis. 

We  conclude  this  chapter  with  a  summary  of  the  expressions  needed  in  order  to  call  the 
presently  available  tactics  and  matchers,  for  easy  reference  for  programmers  of  strategies. 


4.7.1.  Summary  of  calls  to  tactics  and  matchers. 


Calling  the  executer  of  a  tactic  or  matcher,  from  the  executer  of  a  strategy,  must  be 
always  done  by  calling  TRYING,  which  takes  four  arguments.  The  first  of  these  four  is  Itself  a 
list  whose  first  element  is  the  standard  name  of  the  callee.  Any  parameters  that  are  specific 
to  an  operating  element  must  also  be  passed  as  part  of  this  list. 

For  easy  reference  we  shall  now  list  the  ways  to  use  the  first  argument,  for  the  most 
common  tactics  and  matchers.  The  second  argument  is  a  printswitch  (normally  T),  the  third  one 
is  the  thread  of  the  goal,  and  the  fourth  is  a  switch  that  should  normally  be  T. 

Thus  the  most  usual,  and  simplest  way  to  call  them  is: 

TRYING  (  EXPRESSION  ,  T  ,  THREAD  ,  T  ) 

where  EXPRESSION  Is  as  .ollows: 


<’?Al  > 

<’?ol  > 

<’?■!  > 

<’?VI  ,NIL> 

<’?3I  ,NIL> 
<’SIMPLIFY,NIL> 
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<,REWRITE,T,NIL,«NIL,Nll»> 
<’CASES,  NIL> 

<’UNIFY  ,NIL> 

<’MONADIC,NIL,T,NIL> 

<’EQUI\IIFY> 

<’TAUT  ,  3,  NIL,NIL> 


Some  other  calls  are  valid.  In  particular,  in  the  call  to  TAUT,  3  can  be  replaced  by  4  to 
invoke  TAUTEQ,  or  by  6  to  invoke  both  TAUT  and  TAUTEQ.  In  the  call  to  CASES,  NIL  can  be 
replaced  by  a  pointer  to  a  l /L,  and  in  the  call  to  REWRITE  the  expression  <<NIL,NIL>>  can  be 
replaced  by  a  slmpset. 

Also,  in  the  calls  to  TAUT  and  to  MONADIC  the  first  NIL  can  be  replaced  by  a  list  of  VLs, 
and  In  that  to  UNIFY  it  can  be  replaced  by  a  pointer  to  a  VL. 

Though  some  other  variations  are  also  possible,  the  above  list  should  take  care  of  most 
needs. 


5.  AUTOMATIC  THEOREM  PROVING  IN  GOAL. 


Our  research  fringes  on  the  area  of  automatic  theorem  proving,  but  differs  in  its  spirit  from 
most  of  the  current  research  in  that  discipline. 

Whereas  research  in  automatic  theorem  proving  typically  is  machine  oriented,  and  is 
concerned  with  obtaining  proofs  efficiently  by  careful  management  of  the  available  resources, 
ours  is  strictly  based  on  heuristic  sequencing  of  natural  deduction  rules  for  the  First  Order 
Predicate  Calculus. 

One  consequence  of  this  approach  is  that,  when  a  theorem  is  proved  by  a  strategy,  a 
complete  FOL  proof  of  that  theorem  is  produced,  which  the  user  con  inspect  and  understand. 
This  differs  from  the  situation,  common  to  many  theorem  provers,  in  which  it  is  often  very 
difficult  to  understand  how  a  particular  theorem  was  concluded  to  be  valid  by  the  machine. 

Although  we  are  only  secondarily  concerned  with  theorem  proving,  some  effort  was 
invested  in  devising  a  heuristic  that  would  be  a  powerful  theorem  prover  of  its  own.  This  is  the 
strategy  LOGIC,  presented  In  the  next  section. 

The  effort  to  augment  the  power  of  LOGIC  has  forced  us  to  deal  with  some  unsolved 
issues  of  current  interest  to  researchers  in  automatic  theorem  proving.  One  of  the  purposes 
of  this  chapter  is  to  contribute  our  experience  to  these  discussions. 


5.1.  Automatic  theorem  proving  by  LOGIC. 


The  routine  LOGIC  combines  all  the  simple  (or  atomic)  tactics  and  matchers  available  to 
date  in  GOAL.  This  section  comments  LOGIC  in  plain  English,  and  the  next  section  gives  a  an 
algorithmic  summary  description  of  it.  The  reader  may  be  well  advised  to  read  both 
descriptions  in  parallel. 

LOGIC  expands  the  tree  of  sub-goals  in  breadth  first  manner,  using  a  queue  of  unproved 
sub-goals.  The  reason  for  the  breadth  first  scheme  is  that  in  many  cases  the  system  is  unable 
to  match  sub-goals  that  have  been  decomposed  too  far  down.  Since  a  proved  sub-goal  is 
frequently  used  in  the  proof  of  a  descendant  of  one  of  its  brothers,  a  depth  first  heuristic 
fails  in  those  cases  where  the  "wrong"  branch  of  the  tree  was  decomposed  first.  This 
happens  in  the  pair  example  shown  next;  there,  a  depth  first  version  of  LOGIC  (with  which  I 
experimented  first)  succeeded  only  when  the  two  conjuncts  were  given  in  the  "correct" 
order;  whereas  the  presently  implemented  version  succeeds  either  way. 

At  every  node,  LOGIC  first  attempts  to  match  it  using  all  the  different  matchers  available: 
UNIFY,  TAUT  or  TAUTEQ  and  MONADIC;  unification  is  attempted  against  every  fact  in  the 
attached  FACTLIST ;  TAUT  or  TAUTEQ  Is  called  against  the  whole  collection  of  facts;  MONADIC 
is,  at  present,  called  only  against  the  GOALWFF  alone,  because  calling  it  against  a  whole  set 
of  l/Ls  dramatically  slows  down  the  system  and  it  often  causes  the  available  storage  capacity 
to  be  exceeded. 
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If  the  GOALWFF  is  matched  and  the  goal  is  not  a  top  level  one,  the  system  looks  up  the 
other  descendants  of  the  parent  of  the  matched  goal,  i.e.  it  attempts  unwinding  the  proof  as 
far  up  as  possible,  until  it  either  proves  a  top  level  goal  or  it  finds  one  or  more  unproved  sons 
of  a  parent  of  a  Just  proved  goal.  In  this  event,  it  adds  the  just  proved  goal  to  the  FACMST  of 
the  unproved  descendants  of  its  parent,  at  alt  levels  in  these  branches.  It  also  places  any 
unproved  leaves  of  these  branches  in  front  of  the  queue  (so  they  will  be  tried  next)  because 
they  stand  a  better  chance  now  that  a  new  fact  has  been  added  to  their  FACTLISTs. 

If  no  match  Is  obtained,  LOGIC  checks  whether  anything  has  been  added  to  the 
SIMPSETLIST  of  that  node1  since  the  last  attempt  at  rewriting  that  goal  or  any  one  of  its 
ancestors.  If  this  is  the  case,  it  attempts  to  rewrite  the  goal.  If  the  GOALWFF  rewrites  to 
TRUE ,  this  is  treated  as  a  match,  as  described  above.  If  the  WFF  rewrites  to  a  different  WFF, 
a  son  to  that  goal  Is  created  and  is  treated  as  described  below.  If  the  WFF  does  not  rewrite, 
then  other  tactics  will  be  tried  in  the  following  order. 

Now  LOGIC  first  looks  up  whether  the  main  symbol  of  the  goalwff  is  V,  3,  a,  «  or  =.  In  these 
cases  it  calls  the  corresponding  tactic,  thus  generating  one  or  more  sons  to  that  goal.  If  this 
is  not  possible,  ft  looks  up  whether  there  is  any  fact  in  the  FACTUST  that  Is  a  disjunction;  if  so, 
CASES  is  applied  against  that  fact. 

If  none  of  the  attempts  to  either  match  or  decompose  the  goal  succeeded,  the  goal  i.< 
placed  on  a  list  of  failed  goals. 

• 

If  a  successful  decomposition  is  obtained,  LOGIC  immediately  tries  to  match  each  one  of 
the  just  created  sons.  If  a  match  (or  perhaps  more  than  one)  is  obtained,  any  unproved 
siblings  of  the  matched  goal  will  be  placed  in  front  of  the  queue  for  the  same  reason 
mentioned  earlier.  If  none  matches,  they  are  all  placed  at  the  end  of  the  queue. 

After  this,  LOGIC  picks  the  first  goal  in  the  queue  and  repeats  the  whole  process  just 
described,  with  one  variation:  since  an  attempt  to  match  is  made  before  placing  a  goal  in  the 
queue,  no  new  attempt  is  now  made  unless  some  fact  has  been  added  to  the  goal  (as  a 
consequence  of  having  proved  a  brother  of  some  ancestor  since  it  was  placed  in  the  queue). 
It  may  also  be  the  case  that  the  goal  was  in  the  meantime  tried  or  perhaps  even  proved  (and 
perhaps  also  "garbage  collected"  from  the  tree),  because  after  a  match  unproved  brothers 
are  put  in  front  of  the  queue.  The  system  is  able  to  recognize  all  these  situations  and  treat 
them  properly. 

Now,  what  happens  if  the  queue  becomes  empty?  There  must  be  some  goals  In  the  fall  list, 
or  otherwise  LOGIC  would  have  already  proved  a  top  level  goal  by  now.  All  the  goals  in  the  fail 
list  are  examined;  if  any  of  them  have  experienced  any  change  since  they  were  placed  there 
(i.e.  additions  of  facts  to  them),  these  are  placed  in  the  queue  of  goals  to  be  tried,  and  the 
whole  process  continues.  This  does  not  cause  an  infinite  loop,  because  every  time  that  the 
queue  of  goals  to  be  tried  becomes  empty,  LOGIC  checks  whether  any  changes  to  the  list  of 
failed  goals  have  occurred.  If  there  is  no  change,  it  exits,  leaving  the  tree  in  the  state  it  has 
gotten  to,  and  announcing  to  the  user  the  number  of  unproved  leaves  in  the  tree. 

A  successful  exit  occurs  only  when  a  top  level  goal  is  reached.  If  the  original  call  to  LOGIC 


1  Tho  SIMPSETAOOFLAQ  Is  used  for  thlj  purpose 
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by  the  user  was  on  a  goal  that  is  not  top  level,  LOGIC  will  work  below  that  node  only  as  long 
as  the  node  does  not  become  proved.  But,  if  it  succeeds  in  proving  it,  instead  of  exiting  it  will 
continue  working  to  its  parent  and  down  to  its  unproved  brothers. 


6.1.1.  Summary  of  the  LOGIC  heuristics. 


1 .- Attempt  MATCHING.  If  it  succeeds  then  go  MATCH. 

TRYING:  2.-  If  SIMPSETADDFLAG,  attempt  REWRITING. 

If  it  rewrites  to  TRUE,  then  go  MATCH. 

If  it  rewrites  to  a  different  WFF,  then  go  SPLIT. 

3. -  Attempt  one  of  the  tactics:  VI,  31,  Al,  >1,  or  o|. 

If  one  of  these  succeeds,  then  go  SPLIT. 

4. -  Attempt  CASES.  If  it  succeeds  then  go  SPLIT. 

FAIL:  6.-  Place  goal  in  FAIL  list.  Go  7. 

SPLIT:  6.-  For  each  one  of  the  sons,  try  MATCHING  it. 

If  none  matched,  then  place  them  at  the 

end  of  the  QUEUE  of  goals  to  be  tried. 

If  there  is  a  match,  then, 

(  If  there  are  more  than  one  still  unmatched  sons, 
then  place  them  in  front  of  the  QUEUE  and 

go  NEXT,  else  go  MATCH  ). 

7.-  If  QUEUE  is  empty  then  go  9. 

NEXT:  8.-  Pick  first  element  of  QUEUE.  Attempt  MATCHING. 

If  match  succeeds  then  go  MATCH  else  go  TRYING. 

0.-  Have  facts  been  added  to  any  goals  in  the  FAIL  list? 

If  yes,  place  them  in  the  QUEUE  and  go  NEXT. 

If  no,  EXIT  (  failure  ). 

10.-  If  NULL(NEXTGOALTHREAO)  then  EXIT  (  success  ), 

else  place  NEXTGOALTHREAD  in  front  of  the  QUEUE  and  go  NEXT. 


Notice  that  after  any  match  in  the  goal  structure  the  global  variable  NEXTGOALTHREAD  will 
be  pointing  to  some  unproved  descendant  of  the  parent  of  some  just  proved  goal,  unless  a  top 
level  goal  was  proved,  in  which  case  the  variable  will  be  NIL. 
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6.1.2.  The  PAIR  example. 


The  following  example  is  interesting  on  several  accounts.  It  illustrates  the  following 
features  of  GOAL. 

1.  A  proved  subgoal  is  required  in  order  to  prove  its  brother;  GOAL  attaches  it  to  this 
brother,  and  to  any  one  of  its  descendants;  thus  one  proved  subgoal  fertilizes  another  branch 
of  the  goal  tree. 

2.  This  proved  subgoal  Is  included  in  the  simpset  of  the  other  branch,  because  it  is  a 
universally  quantified  equivalence. 

3.  Conditional  simplification.  LOGIC  would  not  succeed  without  this  feature,  although  a 
different  heuristic  would.  However,  that  different  heuristic  would  not  succeed  in  the  examples 
from  [Kelley  1056],  whereas  LOGIC  does. 

4.  The  use  of  the  quantellmllst.  Its  effect  is  similar  to  Skolemlzatlon. 


5. 1.2.1.  Statement  of  the  problem. 


Given  the  axiom  of  EXTENSION,  which  states  that  two  sets  are  equal  if  and  only  if  they 
have  the  same  elements,  and  the  PAIR  axiom,  which  states  the  existence  of  the  unordered 
pair  of  x  and  y  (l.e.,  a  set  whose  only  elements  are  x  and  y),  the  goal  is  to  prove  that  the 
unordered  pair  is  unique. 

LOGIC  generates  an  eight  step  proof  In  FOL  automatically.  This  proof  is  more  compact  than 
what  most  sophisticated  FOL  users  would  normally  achieve. 


6. 1.2. 2.  The  GOAL  generated  proof. 


The  complete  dialogue  between  the  user  and  the  system  follows.  Five  asterisks  is  the 
FOL  prompt.  User  given  commands  begin  immediately  after  the  prompt  and  end  with  the  first 
semicolon  or  double  semicolon.  Anything  else  is  typed  by  either  FOL  or  GOAL.  As  an  exception 
to  the  above  rule,  the  FOL  command  SHOW  PROOF  generates  a  type  out  of  the  complete  FOL 
proof,  In  which  many  lines  beginning  with  five  asterisks  are  typed  by  FOL  (not  by  the  user); 
these  lines  indicate  the  reason  for  the  next  line  of  the  proof,  l.e.  how  that  line  was  obtained  in 
FOL.  Reasons  generated  by  the  GOAL  unwinding  mechanism  are  indistinguishable  from  those 
that  would  result  from  direct  use  of  FOL  for  Interactive  construction  of  the  same  proof. 
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♦♦♦♦♦DECLARE  INDVAR  x  y  z  z  1  u  v  w; 

♦♦♦♦♦DECLARE  PREDCONST  <  2  [INF] ; 

♦♦♦♦♦AXIOM  EXTENT:  Vx  y.(x»y*Vu.(u(xsu<y));; 

EXTENT:  Vx  y.(x-yiVu.(u<x*u(y)) 

♦♦♦♦♦AXiOM  PAIR:  Vx  y.3w.Vu.(u<wi(u-xvu“y));; 

PAIR:  Vx  y.3w.Vu.(u<ws(u«xvu»y)) 

♦♦♦♦♦GOAL  Vx  y.3z.(Vw.(w<z*(w-xvw»y))AVzl.(Vw.(w<zl«(w"xvw-y)):>zl-z)) 

ASSUME  PAIR  SASSUME  EXTENT; 

Goal  m1:  Vx  y.3z.<Vw.(w(z*(w-xvw«y))AVzl.(Vw.(w(zl«(w-xvw-y))3zl-z)) 

♦♦♦♦♦SHOWGOAL; 

Goal  «1:  Vx  y.3z.(Vw.(w<z:(ws:xvw=y))AVzl.(Vw.(w<zl*(w»xvw“y))3zl«z)) 

VLSASSU:  EXTENT  Vx  y.(x«y*Vu.(u<x;;u<y)) 

VLASSU:  PAIR  Vx  y.3w.Vu.(u<W£(u=xvu=y)) 

Simpsets:  (  BY  LOGICTREE  COMPTREE) 


COMMENT:  the  showgoal  command  shows  that  the  axiom  of  EXTENT  has  been  added  as  an 
assumption  and  the  axiom  of  PAIR  as  a  sassumption.  It  also  shows  that  (by  default)  the 
slmpsets  LOGICTREE  and  COMPTREE  have  been  attached.  Next  we  show  the  result  of  Invoking 
the  LOGIC  tactic,  and  the  proof  It  generates.  A  commentary  follows. 


♦♦♦♦♦TRY  USING  LOGIC; 

Goal  «1*1:  Vx  y.3z.(Vw.(w(zs(w=xvw=y))AVzl.(Vw.{w(zl®{w«xvw-y))=Va(u<zlEU<z») 

Goal  *  1 » 1 » 1 :  3z.(Vw.(w<ze(w-xvw-y ))aVz  1  .(Vw.(wCz  1  *(w-xvw-y)):>Vu.(u<Z  1  ■u<z))) 

Goal  «1#1«1#1:  Vw.(w(zs(w=xvw"y))AVzl.(Vw.(wCzl*{w-xvw»y))3Vu.(utzl»u<z)) 

Goal  V w.(w(z*{w«=xvw-y)) 

Goal  *1«1*1*1#2:  Vzl.(Vw.(w<zle(w-xvw«y))oVu.(u<zlsu<z)) 

1  3z.Vw.(w<z*(w-xvw-y)) 

2  Vw.(w(z*(w-xvw»y))  (2) 

3  VzUVw.(w<zl»(w-xvw*y))3Vu.(u<zliu<z))  (2) 

4  Vw.(w(z*(w"XVw»y))AVzl.(Vw,<w(zii(w"XVW-y))3Vu.(u(zl*u(z))  (2) 

5  3z.(Vw.(w<z»(w-xvw«y))AVzl.{Vw.{w<zle{w-xvw-y))oVu.{u<zl»u(z))) 

6  Vx  y.3z.(Vw.(w<z«(w"XVw«y))AVzl.(Vw.{w<zl*(w“xvw»y))oVu.(u(zl»u(z))) 

7  Vx  y.3z.(Vw.(w<z»(w«xvw-y))AVzl.(Vw.(w<zl*(w»xvw-y»3zl-z))  « 

Vx  y.3z.(Vw.(w<z*{w-xvw«y))AVzl.(Vw.(w(zmw-xvw-y))3Vu.(u<zl»u<z)» 


Automatic  theorem  proving  in  GOAL. 


67 


8  Vx  y.3z.(Vw.(w<zi(w-xvw«y))AVzl.(Vw.(w<zli{w-xvw«y))3zl«z)) 

LOGIC  SUCCEEDED! 

COMMENT:  everything  following  the  command  "TRY  USING  LOGIC"  has  been  typed  by  the 
system.  The  first  subgoal  that  matches  is  0101010101  (line  2),  and  0101010102  matches 
Immediately  thereafter  (line  3).  Line  3  depends  on  (2)  because  the  system  added  (2)  to  the 
s/mpset  attached  to  goal  0101010102  and  It  actually  used  line  (2)  to  prove  this  goal.  Finally 
we  use  the  FOL  "SHOW  PROOF"  command  to  display  the  proof  produced  by  the  logic  tactic. 

•♦•♦♦SHOW  PROOF; 

♦•♦♦♦UNIFY  PAIR; 

1  3z.Vw.(w<z«(w-xvw-y)) 

•♦♦••3E  T  z; 

2  Vw.(w<z«(w-xvw«y»  (2) 

•♦♦♦•REWRITE  Vz  1  .(Vw.(w<z  1  «(w-xvw-y »aVu.(u<z  1  «u<z» 

BY  T  EXTENT  LOGICTREE  COMPTREE; 

3  Vzl.(Vw.(w<zi*(w-xvw-y)):>Vu.(u(zl«u<z))  (2) 

•••••aI  <2  3>, 

4  Vw.(w<z*(w-xvw-y))AVzl.(Vw.(w<zl«(w-xvw-y))3Vu.(u(zl»u<z))  (2) 

•♦♦♦♦31  T  z  ; 

5  3z.(Vw.(w<z»(w-xvw-y))AVzl.(Yw.<w<zl*{w-xvw»y)):jVu.(LKzl*u<z))) 

•♦♦♦•VI  T  x  y; 

6  Vx  y.3z.(Vw.(wtz»(w-xvw-y»AVzUVw.(w(zl«(w-xvw"y))3Vu.(u(zl*u<z))) 

••••♦REWRITE  Vx  y.3z.(Vw.(w<z»(w-xvw-y))AYzl.(Vw.(w(zl»(w«xvw-y))3zl-z)) 

BY  EXTENT  LOGICTREE; 

7  Vx  y.3z.(Vw.(w<z»(w-xvw«>y))AVzl.(Vw.(w<zl»(w"xvw-y))3zl»z))  ■ 

Vx  y.3z.(Vw.(w<z«(w-xvw-y))AVzl.(Vw.(w<zli(w-xvw-y))3Vu.(u<zl»u*z))) 

♦♦♦••TAUT  Vx  y.3z.(Vw.{w<z«(w-xvw-y))AVzl.<Vw.(w<zl«(w-xvw-y))3zl-z))  6,7; 

8  Vx  y.3z.(Vw.(w<zi(w-xvw-y»AVzl,(Vw.(w<zl»(w-xvw-y))3zl«z)) 
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6.1.3.  Commentary  to  the  PAIR  example. 


The  steps  followed  by  the  LOGIC  tactic  are  explained  in  detail  In  this  section. 

When  LOGIC  Is  invoked  on  the  goal  #1,  it  first  attempts  to  match  the  goal:  it  fails.  Then  it 
attempts  to  rewrite  the  uoal  by  syntactic  simplification  using  the  attached  simpsets  plus  the 
sassumed  axiom  of  extent.  This  produces  a  different  WFF ,  which  becomes  goal  #1#1.  This 
WFF  was  obtained  by  rewriting  "zl»z"  by  the  axiom  of  extent.  Why  was  "w-xvw=y"  not 
rewritten?  The  reason  is  that  the  rewrite  tactic  has  noticed  that  this  is  part  of  the  wff 
"w<z»w-xvw-y"  which  has  the  same  structure  as  a  wff  in  the  assume  list:  namely,  it  has  the 
same  structure,  except  for  the  leading  quantifiers,  as  the  assumed  axiom  PAIR.  Recognizing 
that  that  part  of  the  goal  is  potentially  matchable  against  that  fact,  it  does  not  rewrite  it. 
This  shows  conditional  simplification. 

#1#1#1  is  obtained  from  #1#1  by  elimination  of  the  leading  universals. 

The  #1#1#1#1  is  obtained  by  elimination  of  the  leading  existential. 

This  goal  Is  then  decomposed  into  two  sub-goals  because  its  main  logical  connective  is 

"A". 


Next,  Is  unified  by  the  UNIFY  tactic  against  the  axiom  PAIR  This  tactic 

recognizes  that  the  wff  "Vw.(w<zs(w-xvw«y))“  cannot  be  directly  unified  against  PAIR,  but  that, 
by  reintroducing  the  existential  on  z,  which  -as  it  remembers-  was  eliminated  further  up  in  the 
tree,  the  WFF  ”3z.Vw.(w<z*(w«=xvwy))"  can  be  unified  against  PAIR.  Thus  it  produces  this  WFF 
as  a  first  line  of  the  proof,  and  then  it  eliminates  the  existential,  producing  line  2  of  the  proof, 
which  matches  the  subgoal.  This  matched  subgoal  is  added  as  a  fact  to  its  brother 
#1#1#1#1#22. 

When  trying  #1#1#1#1#2,  LOGIC  recognizes  that  a  fact  has  been  added  to  this  sub-goal, 
namely  line  2  which  proves  Its  brother.  It  first  tries  the  matchers,  which  fail.  When  the  goal  Is 
prepared  by  the  first  TRY,  the  system  recognizes  that  the  wff  of  the  added  fact, 
"Vw.(w(z«w»xvw»y)"  should  be  added  to  the  simpset  since  it  is  a  universally  quantified 
equivalence.  After  the  matchers  fail,  LOGIC  recognizes  that  a  new  element  has  been  added  to 
the  simpset.  Therefore  it  attempts  a  new  rewrite  on  this  sub-goal.  In  this  event,  the  wff 
rewrites  to  TRUE2 3,  thus  this  subgoal  has  been  proved.  Since  it  was  the  last  unproved  leaf  of 
the  tree,  the  proof  now  unwinds  automatically. 

If  the  two  conjuncts  of  #1#1#1#1  had  been  switched  as  the  goal  was  created  (i.e.  BaA 
instead  of  AaB),  LOGIC  would  have  produced  exactly  the  same  proof.  This  is  noteworthy 
because  proof  of  one  of  the  two  conjuncts  is  required  in  order  to  be  able  to  prove  the  other. 
Thus  a  strictly  top-down  scheme  would  succeed  only  if  the  conjuncts  were  given  in  the 
"right"  order.  But  LOGIC  carries  the  search  in  a  breadth  first  fashion. 


2  A*  the  variable  i  I*  matched  against  the  existentially  eliminated  variable  In  line  2,  GOAL  records  this  as  a  binding,  meaning 
that  now  *,  In  the  other  branch  of  the  goal  tree,  is  not  tree  any  more  for  matching  against  arbitrary  terms,  as  It  was  before.  Also 
it  records  where  In  the  goal  tree  that  binding  took  place,  and  In  case  of  an  tbindonlng  of  an  ancestor  of  that  goal,  i  would  be 
made  free  again. 

3  It  does  to  because  the  slrr^set  LOGJCTREE  is  attached  to  the  goal  by  default. 
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6.1.4.  The  initial  theorems  from  Kelly. 


LOGIC  has  generated  automatic  proofs  of  the  first  32  theorems  in  the  Appendix  on  Set 
Theory  in  [Kelley  1955].  It  has  also  generated  automatic  proofs  of  several  further  theorems. 
In  addition,  for  some  theorems  it  has  proved  all  but  one  of  the  subgoals  it  generated;  in  some 
of  these  cases  the  unproved  subgoal  could  be  proved  by  one  additional  FOL  command,  and 
then  GOAL  would  unwind  the  proof. 

[Kelley  1956]  uses  the  following  form  of  the  comprehension  axiom  scheme; 


COMPREHENSION:  Vx.(  xC{y|P(y)}  •  SET(x)  A  P(x) ) . 


Comprehension  terms  are  automatically  rewritten  by  LOGIC  according  to  that  axiom 
scheme.  This  is  accomplished  by  the  simpset  COMPTREE,  which  is  attached  to  goals  by 
default. 

The  pattern  of  the  proofs  of  those  first  32  theorems  is  the  same  as  in  the  following 
example  (Theorem  4,  part  2).  In  each  case,  the  user  has  to  attach  the  appropriate  set  of 
facts,  using  SASSUME,  in  order  for  LOGIC  to  succeed. 

That  pattern  consists  of  a  subgoaling  by  REWRITE,  followed  by  a  match  by  MONADIC. 


6. 1.4.1.  An  example  from  Kelly. 


•♦♦♦♦DECLARE  INDVAR  x  y  z; 

•♦♦••DECLARE  PREDCONST  <  2  [INF]; 

•••♦•DECLARE  OPCONST  u  2  [INF]; 

•••••AXIOM  SET:  Vx.(SET(x)«3y.x<y);; 

SET:  Vx.(SET(x)«3y.x<y) 

•••♦♦AXIOM  UNION:  Vx  y.xuy-{z|z<xvz<y};; 

UNION:  Vx  y.(xuy)-{z|z<xvz<y) 

•••••GOAL  Vx  y  z.(z<xuy«z<xvz<y)  SASSUME  SET  UNION; 
Goal  •!:  Vx  y  z.(zt(xuy)«<z<xvz<y)) 
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♦♦♦♦♦TRY  USING  LOGICi 

Goal  elel:  Vx  yl  z.«3y.z<yA<z<xvz<yl))i(z<xvz<yl)) 

1  Vx  yl  z.((3y.z<yA(z<xvz<yl))*(z<xvz<yl)) 

2  Vx  y  z.(z<(xuy)»(z<xvz<y))*Vx  yl  z.((3y.z<yA(z<xvz<yl))i(z<xvz<yl)) 

3  Vx  y  z.(z<(xuy)«(z<xvz<y)) 

LOGIC  SUCCEEDED! 

♦♦♦♦♦SHOW  PROOF; 

♦♦♦♦♦MONADIC ; 

1  Vx  yl  z.((3y.z<yA(z<xvz<yl))*(z(xvzCyl)) 

♦♦♦♦♦REWRITE  Vx  y  z.(z<(xuy)e(z<xvz<y))  BY  UNION  SET  LOGICTREE  COMPTREE; 

2  Vx  y  z.(z<(xvy)*(z<xvz<y))*Vx  yl  z.((3y.z<yA<z<xvz<yl))*(z<xvz€yl)) 
♦♦♦♦♦TAUT  Vx  y  z.(z«xuy)s(z<xvz<y))  1,2; 

3  Vx  y  z.(z<(xuy)»(z<xvz<y)) 

♦♦♦♦♦ 


6.2.  Issues  in  goal  oriented  theorem  proving. 


This  chapter  ends  with  a  discussion  of  some  problems  for  which  we  have  not  found  any 
satisfactory  solution.  These  have  to  do  with  some  trade  offs  between  the  amount  of 
manipulation  of  the  assertions  by  theorem  proving  strategies  and  the  complexity  of  these 
strategies. 

Not  having  found  one  generally  good  way  of  dealing  with  these  trade  offs,  perhaps  the 
best  approach  would  be  to  maximize  the  degree  of  user's  control  over  the  manipulations  of 
the  assertions  In  such  a  way  that  the  strategies  can  control  these  manipulations  with  the 
same  flexibility  as  they  control  the  decomposition  of  goals. 

This  approach  would  be  In  keeping  with  the  general  conclusions  suggested  in  this  thesis.  It 
is  better  to  strive  for  a  flexible  environment  in  which  strategies  can  be  programmed,  and  to 
live  with  specialized  ones,  rather  than  with  maximally  powerful,  heavy  theorem  provers.  But  a 
good  deal  of  thought  Is  still  needed  before  the  flexibility  of  GOAL  can  be  extended  to  the 
manipulation  of  the  assertions. 
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6.2.1.  Subgoaling  and  assertions. 


From  our  point  of  view  as  a  user  of  GOAL,  a  goal  is  a  WFF  to  be  proved;  attached  to  this 
WFF,  there  are  facts  or  assertions,  slmpsets,  and  some  other  information.  This  approach  is 
sensible  because  the  reduction  rules  incorporated  in  the  tactics  are  natural,  in  the  sense  that 
they  correspond  to  the  natural  deduction  [Prawitz  1965]  rules  of  FOL.  This  makes  it  easy  for 
the  user  to  understand  the  description  and  to  conduct  interactive  proof  construction  in  GOAL. 

From  the  point  of  view  of  the  design  of  automatic  theorem  proving  heuristics,  the  more 
elegant  approach  taken  by  [Brown  1977a,  1977b,  1978]  is  better.  This  researcher  defines 
transformations  between  sequents,  a  sequent  being  a  collection  of  assertions  and  goals.  The 
meaning  of  a  sequent  is  that  the  disjunction  of  the  goals  (i.e.,  at  least  one  of  them)  follows 
from  the  conjunction  of  the  assertions.  That  approach  establishes  a  duality  between  goals 
and  assertions,  so  that  the  rules  that  manipulate  the  latter  do  not  have  a  different  status  from 
those  that  manipulate  goals. 

Our  tactics  can  be  described  in  that  way,  and  most  of  the  rules  in  Brown's  papers  are 
indeed  In  GOAL.  However,  in  our  system  goals  and  assertions  (or  facts)  have  a  quite  different 
status  because  the  latter  are  l/Ls  of  the  FOL  proof,  while  the  goals  are  WFFs  without  any 
FOL  status.  In  line  with  our  efforts  to  keep  GOAL  consistent  with  FOL,  any  WFFs  in  the 
FACTLIST 4  of  a  goal  are  written  as  assumptions  onto  the  FOL  proof5  before  the  goal  is  tried. 

This  stringent  requirement  that  the  facts  must  always  be  I /Ls  makes  unwinding  simple. 


6.2.2.  Working  on  the  assertions. 


Some  theorems  can  be  proved  from  the  axioms  mainly  by  manipulation  of  the  goals.  In 
those  cases,  GOAL  is  generally  successful.  But  some  other  theorems  require  many 
manipulations  of  the  axioms,  before  these  can  be  used  to  prove  the  goals.  For  instance:  the 
axioms  may  be  rewritten;  conjunctive  axioms  may  be  decomposed  into  1/Z.s  that  assert  the 
disjuncts  separately;  or  several  axioms  may  be  combined  in  order  to  obtain  a  different 
assertion. 


6.2.2.I.  RESOLVE. 


In  GOAL,  some  transformations  of  the  facts,  or  assertions,  have  been  built  Into  the  prepare 
mechanism.  In  particular,  PREPARE  attempts  to  RESOLVE  an  assumption  generated  by  the 
Implication  rule,  si,  against  the  other  VLs  In  the  FACTLIST.  RESOLVE  Is  a  FOL  inference  rule 
based  on  a  variation  of  UNIFY  that  will  perform  some  Inferences  of  the  following  type:  from 


4  For  Inetance,  the  antecedent  of  an  implication  after  jubgoaling  by  the  Implication  rule. 

5  Ualng  the  FOL  ASSUME  command. 


Automatic  theorem  proving  in  GOAL. 


72 


two  ass  ertions  "Vx.(A(x)=>B(x)H  and  "Aft)",  an  assertion  "B(t)"  may  be  inferred.  RESOLVE  Is 
as  yet  undocumented,  like  UNIFY,  and  it  is  still  in  a  developmental  stage;  thus  we  will  not 
describe  it  any  further. 

For  automatic  theorem  proving,  It  is  often  important  that  such  inferences  be  drawn 
automatically.  But  the  generation  of  many  possible  inferences  from  a  set  of  facts  tends  to 
increase  the  complexity  of  the  heuristics;  it  causes  many  new  VLs  to  be  generated,  and  in 
many  cases  it  causes  the  theorem  prover  to  fall  because  it  takes  a  wrong  path. 


6.2. 2.2.  Rewriting  assertions  vs.  conditional  simplification. 


In  the  PAIR  example  discussed  earlier,  we  saw  that  conditional  simplification  prevented 
parts  of  the  goal  from  being  rewritten.  If  that  part  of  the  goal  that  claims  the  existence  of  the 
unordered  pair  had  been  rewritten,  it  would  not  have  matched  against  the  PAIR  axiom  that 
asserts  its  existence,  unless  that  axiom  had  also  been  rewritten  by  the  axiom  of  EXTENT. 

This  situation  occurs  quite  often.  One  would  be  tempted  to  rewrite  every  assertion  in  the 
FACTLIST  using  the  simpset  attached  to  the  goal,  and  to  add  the  rewritten  VLs  to  that 
FACTLIST,  in  order  to  increase  the  power  of  the  theorem  prover.  But  doing  this  would  cause  a 
large,  probably  exponential,  increase  in  the  running  time,  and  It  would  heavily  tax  the  storage 
requirements.  Also  it  would  cause  many  useless  VLs  to  be  au^ed  to  the  proof,  and  this  would 
make  the  proofs  generated  by  GOAL  much  more  unreadable  and  difficult  to  understand. 

Thus  we  chose  not  to  rewrite  assertions.  Instead  conditional  simplification  is  used  in  order 
to  prevent  rewriting  of  those  parts  of  goals  that  are  potentially  matchable  against  some  fact. 

Conditional  simplification  was  implemented  by  testing,  at  each  step  in  the  (recursive) 
rewrite  loop,  whether  the  subwff  would  pass  the  isomorphy  test  that  UNIFY  uses.  If  it  does, 
rewriting  of  that  subwff,  and  of  any  one  of  its  parts,  is  blocked. 

This  approach  presents  problems  of  its  own,  however.  For  instance,  when  there  are  some 
facts  whose  main  connective  is  the  equality  symbol  "-"6,  the  sides  of  any  equality  in  the 
GOALWFF  would  not  be  rewritten.  In  many  cases  this  restriction  is  excessive  and  it  prevents 
effective  theorem  proving. 

We  have  not  found  any  near  optimal  solution  to  these  trade  offs.  Instead,  we  have 
provided  the  executer  of  the  REWRITE  tactic  with  a  flag  to  activate  conditional  simplification. 
When  the  tactic  is  called  directly  by  the  TRY  command,  the  flag  is  off.  In  a  user  programmed 
strategy,  the  flag  can  be  controlled  by  the  strategy. 

The  interested  reader  may  refer  back  to  the  discussion  of  conditional  simplification  in  the 
introduction,  where  the  difference  between  ours  and  the  Edinburgh  [Gordon,  Milner  and 
Wadsworth  1977]  version  was  pointed  out. 


6  The  equality  tymbol  1$  a  predicate  constant  In  FOl. 


6.  SOME  FUTURE  ORIENTED  CONCLUSIONS. 


The  three  main  accomplishments  of  our  research  are:  the  creation  of  a  command  language 
for  top  down  construction  of  proofs  in  FOL  and  the  demonstration  of  its  usefulness;  that  this 
language  Is  extensible;  and  the  demonstration  of  the  practibility  of  our  approach  to  automatic 
theorem  proving. 

Enough  has  been  said  about  these  three  aspects  in  this  thesis.  But  not  much  has  been 
said  about  what  we  have  learned  of  how  a  first  order  logic  proof  checker  could  fit  with  a  goal 
command  language.  Therefore  we  want  to  conclude  with  some  remarks  about  this. 


6.1.  Ideal  FOL  and  GOAL. 


In  an  ideal  FOL  proof  checker,  the  parsing  of  user's  commands  Is  completely  separated 
from  the  "semantic"  routines  that  effect  the  actions  of  these  commands.  The  parsing  routines 
and  the  semantic  ( or  action)  routines  communicate  through  a  carefully  designed  system  of 
interfaces.  Furthermore,  the  system  of  reasons1  maps  this  system  of  interfaces  so  well  that 
they  could  themselves  be  passed  as  input  to  FOL. 

The  first  consequence  of  this  is  that  the  programming  of  new  tactics  and  of  new  matchers 
in  GOAL  becomes  as  easy  and  reliable  as  the  programming  of  strategies.  At  present,  no  faulty 
deduction  by  strategies  is  possible  If  the  tactics  and  matchers  are  sound.  Thus  we  can 
guarantee  the  user  that  extensions  to  GOAL  will  be  foolproof  If  they  are  limited  to  the 
addition  of  strategies.  With  Ideal  FOL  we  can  make  the  programming  of  new  tactics  and 
matchers  foolproof  as  well. 

For  tactics,  the  programming  of  unwinders  becomes  unnecessary.  They  can  be 
automatically  generated.  The  user  has  to  specify  what  FOL  rule  the  tactic  is  inverse  to,  and 
to  make  sure  that  the  executor  returns  an  item  that  conforms  to  the  rules  for  the  FOL  reasons 
for  the  proof  steps.  At  unwinding  time,  FOL  will  then  know  how  to  take  the  appropriate  action 
so  as  to  generate  the  new  step  of  the  proof. 

For  matchers,  the  executer  looks  quite  simple.  It  simply  calls  the  appropriate  FOL  decision 
procedure,  through  the  corresponding  interface. 

All  of  this  Is  fairly  obvious.  FOL  is  not  far  from  having  this  structure,  but  Its  actual  code  is 
not  quite  there  yet. 
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6.2.  Extensibility  and  METAFOL. 


Research  on  the  formalization  of  FOL  in  FOL  has  progressed  in  parallel  to  our  research 
[Weyhrauch  1978a].  That  research  aims  at  the  mechanization  of  this  formalization,  so  that 
properties  of  FOL  can  be  both  formalized  and  easily  proved  In  FOL. 

It  has  been  already  pointed  out  that  a  high  level  language  for  the  programming  of 
extensions  by  the  user  is  both  desirable  and  feasible.  It  appears  that  METAFOL  offers  both  a 
language  for  describing  new  modes  of  inference  and  the  possibility  of  proving  their 
correctness  '  FOL.  This  seems  a  fruitful  direction  for  further  research.  I  think  that  it 
addresses  the  basic  problems  of  describing  new  tactics,  matchers,  and  strategies, 
adequately.  Appropriate  attention  should  also  be  given  to  the  full  range  of  questions 
regarding  the  type  of  facilities  that  ought  to  be  given  the  user  for  manipulating  facts  and 
slmpsets  In  the  context  of  theorem  proving  strategies,  in  order  to  make  a  powerful  and  high 
level  programming  language  for  theorem  proving  applications. 

This  suggested  research  may  bring  about  the  exciting  possibility  that  extensions  to  GOAL 
can  be  described  and  proved  correct  in  FOL  using  METAFOL;  when  the  user  convinces  FOL  of 
the  correctness  of  a  proposed  extension,  it  gets  accepted  and  automatically  converted  Into  a 
working  extension  to  GOAL. 
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7.  APPENDIX  1»  THE  TAKEUCHI  FUNCTION. 


The  following  proof  illustrates  two  aspects  of  GOAL:  top  down  proof  construction,  and  the 
use  of  extensibility.  It  Is  also  Interesting  in  that  it  shows  the  potential  of  First  Order  Logics 
for  program  verification. 


7.1.  Introduction. 


The  Takeuchl  function  was  devised  by  Ikuo  Takeuchi  of  the  Electrical  Communication 
Laboratory  of  Nippon  Telephone  and  Telegraph  Co.  for  the  purpose  of  comparing  the  speeds 
of  LISP  systems.  It  can  be  made  to  run  a  long  time  without  generating  large  numbers  or  using 
much  stack.  It  is  defined  as  follows. 


tak(x,y,z)  -  if  xsy  then  y  else  tak(tak(x-1  ,y,z),tak(y-1  ,z,x),tak(z-1  ,x,y)) 

[McCarthy  1978a]  showed  that  this  function  is  equal  to  the  following  simpler  expression. 

takO(x,y,z)  -  if  x<y  then  y  else  if  ysz  then  z  else  x 

The  same  author  [McCarthy  1978b]  constructed  a  50  step  FOL  proof  of  this  fact,  without 
using  GOAL.  We  shall  compare  the  proof  using  GOAL  with  McCarthy's  proof. 


7.2.  A  strategy  for  case  analysis. 


A  strategy  was  added  to  GOAL  for  this  proof.  We  shall  use  the  example  in  order  to 
illustrate  the  process  of  extending  GOAL  In  detail.  This  strategy  is  very  similar  to  IFCASES.  It 
differs  from  it  ir  that  it  does  not  expand  the  conditional  wffs  and  the  conditional  terms  Into 
formulae  without  conditionals.  Doing  that  expansion  did  not  yield  good  results  in  this  example. 
We  chose  the  name  IFCASESHORT,  In  order  to  distinguish  it  from  IFCASES. 

Let  us  first  look  at  the  parser.  It  was  decided  that  the  user  had  to  explicitly  tell  to  the 
parser  the  WFF  on  which  the  case  analysis  was  to  be  carried.  The  following  two  routines 
implement  the  parser. 


Appendix  Is  the  Takeuchi  Fu-.-iion. 


76 


EXPR  PARSEIFCASESHORT(G:X); 

IF  TK2®OFCASESHORT,’ifcaseshort) 

THEN  IF  X<-WFF#{NIL)  THEN  RETURN(<’IFCASESHORT  ,X>) 
ELSE  IFCASEPARSEMSGH10  ALSO  ENDLO; 

EXPR  IFCASEPARSEMSGH10; 

BEGIN  TERPRIO; 

PRINCOF-CASES-SHORT  requires  that  you  specify  a  WFF."); 
END; 


Now  let  us  look  at  the  executer  and  comment  the  code.  The  parameter  WF  is  the  WFF 
specified  by  the  user.  The  executer  first  calls  the  CASES  tactic  on  WF  and  ■'WF.  Thus,  if  the 
original  WFF  of  the  goals  is  GWF,  the  two  subgoals  generated  by  this  tactic  are:  WF^GWF  and 
"WF=>GWF.  For  each  of  these  two  subgoals,  our  strategy  will  call  the  tactic  =1  and  then  the 
REWRITE  tactic.  The  calls  to  =1  occur  at  the  label  REP  in  the  code,  which  is  executed  twice.  A 
call  to  ol  causes  the  antecedent  to  be  attached  to  the  subgoal  as  an  assumption.  Since  it  will 
not  necessarily  be  placed  into  the  SIMPSET,  the  next  three  lines  of  code  force  this 
assumption  to  be  written  onto  the  FOL  proof  and  to  be  put  into  the  SIMPSET  before  calling 
REWRITE.  The  prepare  mechanism  causes  a  negation  "WF  to  be  also  written  as  WFeFALSE 
because  this  form  happens  to  work  better  with  the  rewrite  code. 


EXPR  TRVIFCASESHORT(THREAD,PSWT,WF); 

BEGIN  NEW  S,  SI,  MT,  G,  THR; 

TRYING!  <’CASES,WF>,PSWT,THREAD,T); 
$«-son(l,goal(THREAD)); 

S  l<-son(2,goal(THREAD»; 

REP;  TRYING(<’?3|>,PSWT,S  CONS  THREAD, NIL); 
PREPAr?C(G«-goal(THR«-NEXTGOALTHREAD)1N!L); 
MT«~«NIL,NIL»; 

VLADD(CAR  PROOF, MT/SUBSTLEAF&); 

TRYING! <’REWRITE, NIL, <CAAR  PROOF>,MT>,PSWT,THR,NIL); 
IF  SI  THEN  S«-S1  ALSO  Sl«-NIL  ALSO  GO  REP; 
RETURNCIFCASESHORT  ); 

END; 


These  routines  must  now  be  added  to  the  system,  together  with  the  following  statement. 


NEWSTRATEGY(’IFC.-.SESHORT,'PARSEIFCASESHORT,’TRYiFCASESHORT); 

And  now  the  extension  is  complete.  The  most  difficult  part  of  this  code  is  that  which  has 
to  do  with  forcing  the  assumption  into  the  SIMPSET.  That  part  requires  an  understanding  of  the 
REWRITE  code,  which  users  of  FOL  cannot  be  required  to  possess.  The  example  thus 
illustrates  the  Importance  of  devising  a  high  level  language  for  programming  strategies.  That 
high  level  language  should  not  be  too  restrictive  in  the  amount  of  control  allowed  over 
assumptions,  simpsets,  1/Z.s,  and  other  items. 
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7.3.  McCarthy's  FOl  proof. 


The  declarations,  the  axioms,  and  the  whole  proof  devised  by  [McCarthy  1978b]  follows. 
Axiom  LESS  comprises  nine  lemmas,  not  all  of  which  are  actually  used  in  the  proof.  I  found  that 
LESS1 ,  LESS3,  and  LESS6,  are  unnecessary.  These  lemmas  are  similar  to  the  verification 
conditions  used  by  program  verification  systems. 


7.3.1.  Declarations. 


declare  INDVAR  xyr(  REAL; 
declare  OPCONST  pred(REAL)  -  REAL[PRE]; 
declare  OPCONST  takOIREAL, REAL, REAL)  ■=  REAL; 
declare  OPCONST  takl(REAL,REAL,REAL)  -  REAL; 
declare  PREOCONST  <(REAL,REAL)[L<-455,R<-455]; 
declare  PREOCONST  S<REAL,REAL)[L*-455,R«-455]; 


7.3.2.  Axioms. 


LESS:  LESS1:  Vx.pred  x<x 
LESS2:  Vx.pred  x<x 

LESS3;  Vx  y.((x<yA(-(x»y)/\-(y<x)))v((-'(x<y)A(x»yMy<x)))v(-’(x<y  W-(x-y)Ay<x)))) 
LESS4:  Vx  y  z.(((x<yAy<z)=x<z)A(((xSyAy<z)3x<z)A({(x<yAyS2)3x<z)A((xSyAySz)oxsz)))) 
LESS5:  Vx  y.(xSytKx<yvx-y)) 

LESS6:  Vx.-(x<x> 

LESS7:  Vx.xSx 
LESS8:  Vx  y.Hx<y)*y<x) 

.  LESS9:  Vx  y.(y<xi-(xSy)) 

TAKO:  Vx  y  z.takO(x,y,z)-IF  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x 

TAK1:  Vx  y  z.takl(x,y,z)*>IF  xSy  THEN  y  ELSE  takO(takO(pred  x,y,z),takX 
0(pred  y,z,x),takO(pred  z,x,y)) 
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7.3.3.  The  proof. 


"The  proof  is  actually  a  cleaned  up  version  of  a  68  step  proof  that  was  in  some  ways  more 
informative.  Namely,  I  used  the  REWRITE  rule  with  what  inequalities  I  had  and  looked  at  the  right 
hand  side  to  see  which  ones  I  still  should  look  for.  In  particular,  the  splitting  of  the  main  case  into 
subcases  was  determined  empirically  by  seeinp  what  propositional  terms  appeared  in  the 
conditional  expressions.  From  this  point  of  view,  FOL  helped  in  generating  the  proof  and  didn’t 
merely  check  a  pre-existing  proof." 


[McCarthy  1878b] 


♦♦♦♦♦ASSUME  xSy; 

1  xSy  (1) 

♦♦.♦♦REWRITE  takl(x,y,2)-tak0(x,y^)  BY  LOGICTREEu{  TAK0.TAK1.1}; 

2  takl(x,y,z)-takO(x,y,z)  (1) 

♦♦♦♦♦s|  TToTj 

3  xSy=>takl(x,y,z)-takO(x,y,z) 

♦♦♦♦♦ASSUME  MxSyh 

A  -<xSy)  (A) 

♦♦♦♦♦REWRITE  y<x  BY  LOGICTREEuf  LESS9.4}; 

5  y<x  (4) 

♦♦♦♦♦ASSUME  yszi 

6  y<z  (6) 

♦♦♦♦♦ASSUME  pred  xSy; 

7  pred  xSy  (7) 

♦♦♦♦♦VE  LESS2  y; 
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8  pred  ySy 

****»VE  LESS4  pred  y,y,z; 

9  ({pred  y<yAy <z)spred  y<zW((pred  y£yAy<z)spred  y<z) 

A(((pred  y<yAySz)apred  y<z)A((pred  ySyAySz)=pred  ySz») 

*****TAUT  pred  ySz  6,8:9; 

10  pred  ysz  (6) 

,****REWRITE  takl(x,y,z)-takO<x,y,z)  BY  LOGICTREEu{  T AKO.TAK  1 ,4:7, 1 0}; 

11  tak  1  (x,y,zM  akO(x,y,z)  (4  6  7) 

***«*s|  7sti 

12  pred  x<y:>takl(x,y,z)«takO{x,y,z)  (4  6) 

*****ASSUME  •’(pred  x£y); 

13  ->(pred  xSy)  (13) 

***«REWRITE  takl(x,y,z)-takO<x,y,z)  BY  LOGICTREEu{  TAKO,TAK1,LESS7,4:6,10,13}; 

14  takl(x,y,z)-takO(x,y,z)  (4  6  13) 

****«3|  TT^T; 

15  ■’(pred  x<y)3takl(x,y,z)-takO(x,y1z)  (4  6) 

*****TAUT  takl(x,y,z)-takO{x,y,z)  12,15; 

16  takl(x,y,z)«takO(x,y,z)  (4  6) 

****«3i  6=T; 

17  y<z3takl(x,y,z)-takO(x,y^)  (4) 

****«ASSUME  ■’(ySz); 

18-(y<z)  (18) 

*****REWRITE  z<y  BY  LOGICTREEu{  LESS9.18}; 

19  z<y  (18) 

***«*VE  LESS4  z,y,x; 

20  ((z<yAy<x)3Z<x)A(((zSyAy<x)3z<x)A(((z<yAySx)cz<x)A((zSyAySx)3zSx))) 

****»YE  LESS5  z,x; 
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21  zSx*(z<xvz-x) 

♦♦♦♦♦TAUT  zSx  5,19:21; 

22  zSx  (4  18) 

*«***VE  LESS4  pred  z,z,x; 

23  ((pred  z<zAz<x)opred  z<x)A(((pred  zSzAz<x)=pred  z<x) 
A(((pred  z<zAzSx)spred  z<x)A((pred  zSzAz£x)opred  zSx))) 

♦♦♦♦♦YE  LESS2  z; 

24  pred  zSz 

♦♦♦♦♦VE  LESS4  pred  z,z,x; 

25  ((pred  z<zAz<x)opred  z<x)A<((pred  zSzAz<x)opred  z<x) 
A(((pred  z<ZAzsx)apred  z<x)A((pred  zSzAzSx)=>pred  zSx)» 

♦♦♦♦♦TAUT  pred  z£x  22,24:25; 

26  pred  zix  (4  18) 

♦♦♦♦♦ASSUME  pred  xSy; 

27  pred  xSy  (27) 

♦♦♦♦♦ASSUME  pred  ySz; 

28  pred  ySz  (28) 

♦♦♦♦♦ASSUME  -*(pred  xSy); 

29  -(pred  xsy)  (29) 

♦♦♦♦♦ASSUME  -(pred  ySz); 

30  -(pred  y Sz)  (30) 

♦♦♦♦♦REWRITE  »akl(x,y,z)-tak0(x,y,2)  BY  F00u{  27:28}; 

31  takl(x>y,z)-takO(x,y1z)  (4  18  27  28) 

♦♦♦♦♦REWRITE  takl(x,y,z)-takO(x,y,z)  BY  F00u{  27,30}; 

32  takl(x,y,z)-takO(x,y,z)  (4  18  27  30) 

♦♦♦♦♦VE  LESS4  pred  x,z,y; 

33  ((pred  x<zAz<y)apred  x<y)A(((pred  xszAz<y)spred  x<y) 
A(((pred  x<ZAzSy)opred  x<yW(pred  xSzAz5y)opred  xsy))) 
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**«*VE  LESS5  z,y; 

34  z£y«(z<yvz-y) 

*****TAUT  -(pred  xSz)  19,29,33:34; 

35 -(pred  x£z)  (18  29) 

♦♦♦♦♦REWRITE  takl(x,y,z)-takO(x,y,z)  BY  FO 0u{  28:29,35}; 

36  takl(x,y,z)-takO(x,y,z)  <4  18  28  29) 

*****REWRITE  taki;x,y,z)-iakO(x,y,z)  8V  F00u{  29:30}; 

37  takl(x,y,z)-takO(x,y,z)  (4  18  29  30) 

♦♦♦♦♦=1  28=31; 

38  pred  ySz=takl(x,y,z)«takO(x,y,z)  (4  18  27) 

♦♦♦♦♦=1  30=32; 

39  -(pred  ySz)=takl(x,y,z)«takO(xpy,z)  (4  18  27) 
♦♦♦♦♦TAUT  takl(x,y,z)“takO(x,y,z)  38:39; 

40  takl(x,ylz)-lakO(x,ylz)  (4  18  27) 

♦♦♦♦♦=1  28=36; 

41  pred  ySz=takl(x,y,z)-takO(x,y,z)  (4  18  29) 

♦♦♦♦♦=|  30=37; 

42  -(pred  ySz)=takl(x,y,z)-takO(x,y,z)  (4  18  29) 
♦♦♦♦♦TAUT  takl(x,y,z)-takO(x,y,z)  41:42; 

43  takl(x,y,zMakO(x,y,z)  (4  18  29) 

♦♦♦♦♦=1  27=40; 

44  pred  xsy=takl(x,y,zMakO(x,y,z)  (4  18) 

♦♦♦♦♦=1  29=TT; 

45  -(pred  xSy)=takl(x,y,z)-takO(x,y,z)  (4  18) 

♦♦♦♦♦TAUT  takl(x,y,z)-takO<x,y,z)  44:45; 

46  takl(x,y,z)-tak0<x,y1z)  (4  18) 

♦♦♦♦♦=|  18=T; 
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47  ■'(ySz)3takl(x,y,z)*takO(x,y,z)  (4) 

»****TAUT  takl(x,y,z)«takO(x,y,z)  17,47; 

48  takl(x,y,z)-takO{x,y,z)  (4) 

4st; 

49  ->(xSy)3takl(x,y,zMakO{x,y,z) 

*****TAUT  takl(x,y,z)-takO(x,y,z)  3,49; 

50  takl(x,y^)-takO(x,y^) 


7.4.  The  proof  using  GOAL. 


For  the  GOAL  proof  of  the  Takeuchi  function  we  used  exactly  the  same  axioms  shown 
before.  The  number  of  user's  command  required  by  this  proof  is  one  third  of  the  number  of 
commands  required  in  the  previous  one.  On  the  other  side,  the  number  of  line  in  the  FOL  proof 
generated  by  the  GOAL  unwinding  mechanism  is  roughly  the  same  as  in  the  other  proof. 

The  formulae  that  appear  in  the  GOAL  proof  are  much  bigger  that  in  McCarthy's  FOL  proof. 
But  this  does  not  seriously  affect  the  usefulness  of  GOAL.  In  the  case  of  this  proof,  I  did  not 
really  have  to  scan  much  of  those  formulae.  The  commands  were  guessed  by  inspecting  the 
main  conditional  of  the  WFF. 

Our  proof  combined  some  forward  proving  with  the  GOAL  commands,  in  total,  It  used  nine 
calls  to  TRY  and  five  (forward)  uses  of  the  FOL  command  MONADIC. 


7.4.1.  Comparison  of  the  user  input. 


For  ease  of  comparison,  we  show  first  the  commands  typed  by  the  user  in  each  case.  The 
structure  of  the  case  analysis  is  apparent  in  the  commands  for  the  GOAL  proof. 


7.4. 1.1.  Commands  for  the  forward  proof. 
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ASSUME  x<=y; 

REWRITE  takl(x,y,z)«takO(x,y,z)  BY  LOGICTRE£u{  TAKO.TAKl.l }; 

=1  TT=T; 

ASSUME  -(x<y); 

REWRITE  y<x  BY  LOGICTREEu{  LESS9.4}; 

ASSUME  y<z; 

ASSUME  pred  x£y; 

VE  LESS2  y; 

VE  LESS4  pred  y,y,z; 

TAUT  pred  yiz  6,8:9; 

REWRITE  takl(x,y,z)-takO(x,y,z)  BY  LOGICTR£Eu{  TAK0.TAK1, 4:7,10}; 

=1  7=t; 

ASSUME  -(pred  x<y); 

REWRITE  takl(x,y,z)-takO(x,y,z)  BY  L0GICTR££u{  TAK0,TAK1,LESS7,4:6,10,13}; 
=1  tt=T; 

TAUT  takl(x,y,z)-takO(x,y,z)  12,15; 

=1  6=»T; 

ASSUME  -(ySz); 

REWRITE  z<y  BY  LOGICTREEu{  LESS9.18}; 

VE  LESS4  z,y,x; 

VE  LESS5  z,x; 

TAUT  z<x  5,19:21; 

VE  LESS4  pred  z,z,x; 

VE  LESS2  z; 

VE  LESS4  pred  z,z,x; 

TAUT  pred  zSx  22,24:25; 

ASSUME  pred  x<y; 

ASSUME  pred  y<z; 

ASSUME  -(pred  x<y); 

ASSUME  -(pred  ySz); 

REWRITE  takl(x,y,zHakO(x,y,z)  BY  FOOu{  27:28}; 

REWRITE  takl(x,y,zHakO(x,y,z)  BY  FOOu{  27,30}; 

VE  LESS4  pred  x,z,y; 

VE  LESS5  z,y; 

TAUT  -(pred  x<z)  19,29,33:34; 

REWRITE  takl(x,y,z)-takO(x,y,z)  BY  F00u{  28:29,35}; 

REWRITE  takl(x,y,z)-takO(x,y,z)  BY  F00u{  29:30}; 

=1  28=31; 

=1  30=32; 

TAUT  takl(x,y,zMakO(x,y,z)  38:39; 

=1  28=36; 

=1  30=37; 

TAUT  takl(x,y,z)»takO(x,y,z)  41:42; 

=1  27=40; 

=1  29=TT; 

TAUT  »akl(x,y,z)-tak0(x,y,z)  44:45; 

=1  18=t; 

TAUT  takl(x,y,zMak0(x,y,z)  17,47; 

=1  4=T; 

TAUT  takl(x,y^)-tak0(x,y,z)  3,49; 
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7.4. 1.2.  Commands  for  the  goal  oriented  proof. 


TRY  USING  VI; 

TRY  USING  REWRITE  BY  {TAK1  TAKO}; 

TRY  USING  IFCASES  xSy; 

TRY  USING  IFCASES  y<z; 

MONADIC  pred  ySz  LESS4  LESS2  6; 

MONADIC  IF  pred  *Sy  THEN  y  ELSE  z  S  z  LESS7  6; 
TRY  USING  REWRITE  BY  {TT,T}; 

MONADIC  zSx  4  7  LESS8  LESS5  LESS4; 

MONADIC  pred  z  S  x  LESS2  LESS4  T; 

MONADIC  IF  pred  ySz  THEN  z  ELSE  x  S  x  LESS7  TT; 
TRY  USING  REWRITE  BY  {TTT,TT,T,LESS7}; 

TRY  USING  IFCASES  pred  ySz; 

TRY  USING  IFCASES  pred  x  5  y; 

TRY  USING  MONADIC  7  26  LESS8  LESS4; 


7.4.2.  The  complete  man-machine  dialog. 


The  following  is  the  complete  protocol  of  the  GOAL  proof. 


*****GOAL  Vx  y  z.(takl(x,y,zMakO(x,y,z)); 

Goal  el:  Vx  y  z.takl(x,y,z)-takO(x,y,z) 

*****TRY  USING  VI; 

Goal  elel:  takl(x,y,z)"takO(x1y,z) 

*****TRY  USING  REWRITE  BY  {TAK1  TAKO}; 

Goal  el  el  el:  IF  xsy  THEN  y  ELSE  IF  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THX 
EN  z  ELSE  pred  x<IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THX 
EN  IF  pred  ySz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  X 
ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  IF  X 
xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  ELSX 
E  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xSX 
y  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x 

*****TRY  USING  IFCASESHORT  x<y; 

Goal  elelelel:  xSy=IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  X 
ySz  THEN  z  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  preX 
d  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IFX 
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pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y<IF  pred  ZSx  THEN  x  ELK 
SE  IF  xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  x<y  THENX 
y  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  xX 
-IF  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x 

Goal  #1#1#1#2:  •’(xSy)o IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  X 
IF  y<z  THEN  z  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  X 
pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IFX 
IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  xX 
ELSE  IF  xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  IF  xSy  TX 
HEN  y  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  preX 
d  x-IF  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x 

Goal  IF  x<y  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<X 

z  THEN  z  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  X 
y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pX 
red  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ysIF  pred  zSx  THEN  x  ELSEX 
IF  xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  yX 
ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IX 
F  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x 

1  xSy  (1) 

2  IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  prX 
ed  xsIF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  yX 
Sz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  EX 
LSE  IF  zsx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  EX 
LSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  ELSX 
E  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  xSy  THEN  y  ELSX 
E  IF  ySz  THEN  z  ELSEx  (1) 

3  xSyulF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSX 
E  pred  xSlF  pred  y <z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  prX 
ed  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THENX 

z  ELSE  IF  z<x  THEN  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  IF  xSy  THENX 
y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  x<y  THEN  y  ELSE  pred  zX 
ELSE  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xSy  THEN  y X 
ELSE  IF  y<z  THEN  z  ELSE  x 

Goal  «1*1*1«2*1:  IF  xSy  THEN  y  ELSE  IF  IF  pred  x<y  THEN  y  ELSE  IF  ySX 
z  THEN  z  ELSE  pred  x<IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  X 
y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pX 
red  ySz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSEX 
xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  IF  x<y  THEN  yX 
ELSE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IX 
F  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  x 

4  -•{xSy)  (4) 

5  xSy*FALSE  (4) 

Goal  *1#1*1*2*1*1:  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  preX 
d  xSlF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySX 
z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELX 
SE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pX 
red  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  zX 
ELSE  pred  x-IF  ysz  THEN  z  ELSE  x 

**«*TRY  USING  IFCASESHORT  ysz: 
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Goal  ySz=>IF  IF  pred  xSy  THEN  y  ELSE  IF  y£z  THEN  z  ELX 

SE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pX 
red  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEX 
N  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEX 
N  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  X 
THEN  z  ELSE  pred  x-IF  ysz  THEN  z  ELSE  x 

Goal  #1*1 #1*2*1 #1*2:  -(ySzlolF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  zX 
ELSE  pred  XSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IX 
F  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  X 
THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  X 
THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  yX 
Sz  THEN  z  ELSE  pred  x-IF  ySz  THEN  z  ELSE  x 

Goal  *1*1  *1*2*1  #1*1*1:  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE* 
pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  preX 
d  ysz  1  HEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  X 
z  ELSE  IF  zSx  THEN  x  ELSE  prc  I  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  X 
IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THX 
EN  z  ELSE  pred  x-IF  ySz  THEN  z  ELSE  x 
6  ySz  (6) 

Goal  #1#1#1#2#1#1#1#1#1:  IF  IF  pred  xSy  THEN  y  ELSE  zSlF  pred  ysz  THX 
EN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  zX 
Sx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  EX 
LSE  pred  ySlF  pred  z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSX 
E  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  z-z 

Goal  #1*1  *1*2*1  #1*2*1:  IF  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE* 
pred  x£IF  pred  ySz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  preX 
d  ysz  THEN  z  ELSE  IF  z£x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  X 
z  ELSE  IF  zSx  THEN  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  pred  z  THEN  X 
IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THX 
EN  z  ELSE  pred  x-IF  y<z  THEN  z  ELSE  x 
7 -(y<z)  (7) 

8  ySz^FALSE  (7) 

Goal  #1#1#1#2#1#1#2#1#1:  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  yX 
Sz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE* 
IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEX 
N  x  ELSE  pred  ysIF  pred  zSx  THEN  x  1LSE  pred  z  THEN  IF  pred  zSx  THEN  X 
x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  pred  x-x 

♦♦♦♦♦MONADIC  pred  y  S  z  LESS4  LESS2  6; 

9  pred  ySz  (6) 

♦♦♦♦♦MONADIC  IF  pred  x  S  y  THEN  y  ELSE  z  S  z  LESS7  6; 

10  IF  pred  xSy  THEN  y  ELSE  zSz  (6) 

♦♦♦♦♦TRY  #1*1#1#2#1#1#1#1#1  USING  REWRITE  BY 

11  IF  IF  pred  xSy  THEN  y  ELSE  zJ.F  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  xX 
ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  EX 

LSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  X 
THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xX 
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£y  THEN  y  ELSE  z-z  (6) 

12  IF  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x<IF  pred  y<z  TX 
HEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  X 
z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  X 
ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELK 
SE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-IF  yX 
<z  THEN  z  ELSE  xHF  IF  pred  x<y  THEN  y  ELSE  z<IF  pred  y<z  THEN  z  ELSEK 
IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  xK 
ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  X 

ySlF  pred  z<x  THEN  x  c-LSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  pred  z  X 
ELSE  IF  pred  x<y  THEN  y  ELSE  z-z  (6) 

13  IF  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x<IF  pred  y<z  TK 
HEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  X 
z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y <z  THEN  z  ELSE  IF  z<x  THEN  x  X 
ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELK 
SE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x— IF  yX 
£z  THEN  z  ELSE  x  (6) 

14  y<zolF  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x<IF  pred  yX 
<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSEK 

IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  z<x  THEK 
N  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z£x  THEN  X 
x  ELSE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-K 
IF  y<z  THEN  z  ELSE  x 

*****MONADIC  zSx  4  7  LESS8  LESS5  LESS4; 

15  zsx  (4  7) 

««***MONADIC  pred  z  S  x  LESS2  LESS4  T; 

16  pred  z<x  (4  7) 

*****MONADIC  IF  pred  y  <  z  THEN  z  ELSE  x  S  x  LESS7  TT; 

17  IF  pred  y <z  THEN  z  ELSE  x<x  (4  7) 

*****TRY  USING  REWRITE  BY  {TTT,TT,T,LESS7}; 

Goal  »1#1#1#2»1«*1#2»1»»1#1:  IF  IF  pred  x<y  THEN  y  ELSE  pred  x<IF  predK 
y<z  THEN  z  ELSE  x  THEN  IF  pred  y<z  THEN  z  ELSE  x  ELSE  x-x 

****#TRY  USING  IFCASESHORT  pred  y  S  z; 

Goal  •lttl*l*2*lxltt2*l*l*l*l:  pred  yiz^lF  IF  pred  x<y  THEN  y  ELSE  preK 
d  x<IF  pred  y<z  THEN  z  ELSE  x  THEN  IF  pred  y<z  THEN  z  ELSE  x  ELSE  x-x 
Goal  #1*1*1«2#1»1#2#1#1#1#2:  -(pred  y<z)=IF  IF  pred  xsy  THEN  y  ELSE  X 
pred  x<IF  pred  y<z  THEN  z  ELSE  x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  X 
x*»x 

Goal  ttlttl*l«2*lttl*2«l*l*l*lul:  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  X 
pred  y<z  THEN  z  ELSE  x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x 

18  pred  y£z  (18) 
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Goal  *1*1*1 *2*1*1 *2*1*1 *1*1 *1*1:  IF  IF  pred  x<y  THEN  y  ELSE  pred  xSzX 
THEN  z  ELSE  x-x 

Goal  *lttl*l*2*l*l«2*l«l*l«2«l:  IF  IF  pred  x£y  THEN  y  ELSE  pred  xSlF  % 
pred  y<z  THEN  z  ELSE  x  THEN  IF  pred  y<z  THEN  z  ELSE  x  ELSE  x-x 

19  -(pred  ySz)  (19) 

20  pred  yszsFALSE  (19) 

21  IF  IF  pred  xSy  THEN  y  ELSE  pred  XSIF  pred  ysz  THEN  z  CLSE  x  THEN  IX 
F  pred  yiz  THEN  z  ELSE  x  ELSE  x-x  (19) 

22  -(pred  ySz)=>IF  IF  pred  x<y  THEN  y  ELSE  pred  xSlF  pred  ysz  THEN  z  EX 
LSE  x  THEN  IF  pred  y<z  THEN  z  ELSE  x  ELSE  x-x 

*****TRY  USING  IFCASESHORT  pred  x  S  yj 

Goal  *1*1*1  *2*1  *1  *t2«*  1*1«1«1*1*1*1:  pred  xSyolF  IF  pred  xSy  THEN  y  ELX 
SE  pred  x<z  THEN  z  ELSE  x-x 

Goal  *1*1  *1*2*1  *1*2*1  *1*1  *1*1  *1*2:  -(pred  x<y)=IF  IF  pred  xSy  THEN  yX 
ELSE  pred  x<z  THEN  z  ELSE  x-x 

Goal  *1*1  *1*2*1  *1*2*1  *1*1  *1*1  *1*1*1:  IF  IF  preo  x<y  THEN  y  ELSE  predX 
xSz  THEN  z  ELSE  x-x 

23  pred  xSy  (23) 

24  IF  IF  p";d  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  (7  23) 

25  pred  xSyolF  IF  pred  x<y  THEN  y  ELSE  pred  xsz  THEN  z  ELSE  x-x  (7) 

Goal  ttl*lttl»2ttl«l*2*l*lttl*l*l«l*2«l:  IF  IF  pred  x£y  THEN  y  ELSE  predX 
x<z  THEN  z  ELSE  x-x 

26  -<p red  xSy)  (26) 

27  pred  xSy«FALSE  (26) 

Goal  «l*l*l«2«l*l«2*l*l«l*l«l»l*2«lnl:  IF  pred  x£z  THEN  z  ELSE  x-x 
*****TRY  USING  MONADIC  7  26  LESS8  LESS4; 

28  IF  pred  x<z  THEN  z  ELSE  x-x  (7  26) 

29  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-xsIF  pred  xSz  THX 
EN  z  ELSE  x-x  (26) 

30  IF  IF  pred  x<y  THEN  y  ELSE  pred  x<z  THEN  z  ELSE  x-x  (7  26) 

31  -(pred  xSy)=IF  IF  pred  x<y  THEN  y  ELSE  pred  x<z  THEN  z  ELSE  x-x  (X 

7) 

32  IF  IF  pred  xSy  THEN  y  ELSE  pred  x<z  THEN  z  ELSE  x-x  (7) 

33  IF  IF  pred  x<y  THEN  y  ELSE  pred  xSlF  pred  y<z  THEN  z  tiSE  x  THEN  IX 

F  pred  ySz  THEN  z  ELSE  x  ELSE  x-xsIF  IF  pred  xSy  THf  .  y  EL_  pred  xSzX 
THEN  z  ELSE  x-x  (18) 
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34  IF  IF  pred  x<y  THEN  y  ELSE  pred  x<IF  pred  y£z  THEN  z  ELSE  x  THEN  IX 
F  pred  y<z  THEN  z  ELSE  x  ELSE  x-x  (7  18) 

35  pred  y<zolF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  y<z  THEN  z  ELSEX 
x  THEN  IF  pred  ysz  THEN  z  ELSE  .<  ELSE  x-x  (7) 

36  IF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  ySz  THEN  z  ELSE  x  THEN  IX 
F  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  (7) 

37  IF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  y£z  THEN  z  ELSE  IF  zSx  TX 
HEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  preX 
d  y  ELSE  IF  IF  pred  y<5z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y£lF  predX 
z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  pred  z  ELSE  IF  pX 
red  xsy  THEN  y  ELSE  pred  x-xeIF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  preX 
d  ysz  THEN  z  ELSE  x  THEN  IF  pred  y£z  THEN  z  ELSE  x  ELSE  x-x  (4  7) 

38  IF  IF  pred  xsy  THEN  y  ELSE  pred  x<IF  pred  ysz  THEN  z  ELSE  IF  zSx  TX 
HEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  preX 
d  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  predX 
z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  pred  z  ELSE  IF  pX 
red  xsy  THEN  y  ELSE  pred  x-x  (4  7) 

39  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x<IF  pred  y<z  TX 
HEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  X 
zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  y$IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-iF  yX 
Sz  THEN  z  ELSE  xsIF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  y<z  THEN  zX 

ELSE  IF  z£x  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  TX 
HEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  X 
pred  y<IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  prX 
ed  z  ELSE  IF  pred  x<y  THEN  y  ELSE  pred  x-x  (7) 

40  IF  IF  pred  x<y  THEN  y  ELSE  IF  y <z  THEN  z  ELSE  pred  x<IF  pred  y<z  TX 
HEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  X 
zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  y<IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  yX 
iz  THEN  z  ELSE  x  (4  7) 

41  -(y<zMF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x<IF  preX 

d  ySz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  EX 
LSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  z<x  X 
THEN  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  pred  z  THEN  IF  pred  zix  THX 
EN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  predX 
x-IF  y<z  THEN  z  ELSE  x  (4) 

42  IF  IF  pred  xSy  THEN  y  ELCE  IF  ySz  THEN  z  ELSE  pred  x<IF  pred  y<z  TX 
HEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  X 
z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  y<IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-IF  yX 
£z  THEN  z  ELSE  x  (4) 

43  IF  xsy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  pX 
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red  xSlF  pred  ySz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  % 
ELSE  IF  zsx  THEN  x  ELSE  pred  yi\F  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  X 
ELSE  pred  z  THEN  IF  pred  zix  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  ELK 
SE  IF  pred  xsy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xSy  THEN  y  ELK 
SE  IF  yiz  THEN  z  ELSE  x«IF  IF  pred  xiy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE* 
pred  xSlF  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  THEN  IF  preX 
d  ysz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  X 
z  ELSE  IF  zix  THEN  x  ELSE  pred  ySlF  pred  zix  THEN  x  ELSE  pred  z  THEN  X 
IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  yiz  THX 
EN  z  ELSE  pred  x-IF  yiz  THEN  z  ELSE  x  (4) 

44  IF  x<y  THEN  y  ELSE  IF  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  pX 
red  xsIF  pred  yiz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
yiz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yiz  THEN  z  X 
ELSE  IF  zix  THEN  x  ELSE  pred  ySlF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  X 
ELSE  pred  z  THEN  IF  pred  zsx  THEN  x  ELSE  IF  xiy  THEN  y  ELSE  pred  z  ELX 
SE  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-IF  xiy  THEN  y  ELX 
SE  IF  ySz  THEN  z  ELSE  x  (4) 

45  -(xiyMF  xiy  THEN  y  ELSE  IF  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  zX 
ELSE  pred  xilF  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  THEN  IX 
F  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yiz  X 
THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  yilF  pred  zix  THEN  x  ELSE  IF  xiy  X 
THEN  y  ELSE  pred  z  THEN  IF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  ELSE  prX 
ed  z  ELSE  IF  pred  xiy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-IF  xSy  THX 
EN  y  ELSE  IF  ysz  THEN  z  ELSE  x 

46  IF  xSy  THEN  y  ELSE  IF  IF  pred  x<y  THEN  y  ELSE  IF  y$z  THEN  z  ELSE  pX 
red  xsIF  pred  ySz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
yiz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  X 
ELSE  IF  z5x  THEN  x  ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  IF  xSy  THEN  y  X 
ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  ELX 
SE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xSy  THEN  y  ELX 
SE  IF  yiz  THEN  z  ELSE  x 

47  takl(x,y,z)-takO(xlylz)KlF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  EX 
LSE  IF  yiz  THEN  z  ELSE  pred  xsIF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  EX 
LSE  pred  y  THEN  IF  pred  yiz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSX 
E  IF  IF  pred  yiz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ysIF  pred  zSx  THX 
EN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  ZSx  THEN  x  ELSE  IF  xX 
iy  THEN  y  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSEX 
pred  x-IF  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  x 

48  takl(x,y^)-takO(x,y(z) 

49  Vx  y  z.takl(x,y,z)-takO<x,y,z) 
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7.4.3.  The  FOL  proof  generated  by  GOAL. 


We  have  stressed  the  fact  that  GOAL  always  generates  a  FOL  proof  that  Is 
indistinguishable  from  a  user  generated  proof.  For  the  sake  of  completeness,  we  also  show 
here  the  FOL  proof  that  results  from  the  previous  dialog. 


*****SHOW  PROOFi 
*****  ASSUME  xiy; 

1  xiy  (1) 

*****REWRITE  IF  xiy  THEN  y  ELSE  IF  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THE* 
N  z  ELSE  pred  xilF  pred  ysz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  THE* 
N  IF  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yX 
iz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  yilF  pred  zix  THEN  x  ELSE  IF  xX 
Sy  THEN  y  ELSE  pred  z  THEN  IF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  ELSE* 
pred  z  ELSE  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  pred  x-IF  xiyX 
THEN  y  ELSE  IF  yiz  THEN  z  ELSE  x  BY  LOGICTREE  COMPTREE  t; 

2  IF  xiy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  prX 
ed  xilF  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  THEN  IF  pred  yX 
iz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yiz  THEN  z  EX 
LSE  IF  zix  THEN  x  ELSE  pred  yilF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  EX 
LSE  pred  z  THEN  IF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  ELSE  pred  z  ELSX 
E  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  pred  x-IF  xiy  THEN  y  ELSX 
E  IF  ysz  THEN  z  ELSE  x  (1) 

****»3|  ftsfi 

3  xiyalF  xiy  THEN  y  ELSE  IF  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSX 
E  pred  xsIF  pred  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  THEN  IF  prX 
ed  yiz  THEN  z  ELSE  IF  zix  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yiz  THENX 
z  ELSE  IF  zix  THEN  x  ELSE  pred  yilF  pred  zix  THEN  x  ELSE  IF  xiy  THENX 
y  ELSE  pred  z  THEN  IF  pred  zix  THEN  x  ELSE  IF  xiy  THEN  y  ELSE  pred  zX 
ELSE  IF  pred  xiy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  pred  x-IF  xiy  THEN  yX 
ELSE  IF  yiz  THEN  z  ELSE  x 

*****ASSUME  •'(xiy); 

4  ■'(xiy)  (4) 

***#*REWRITE  T  BY  LOGICTREE,- 

5  xiyiFALSE  (4) 

*****ASSUME  yiz} 

6  yiz  (6) 


■  .'  .*■ 
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♦♦♦♦♦ASSUME  -(yah 

7  -<ySz)  (7) 

♦♦♦♦♦REWRITE  t  BY  LOGICTREEj 

8  ysz«FALSE  <7) 

****«; 

9  pred  ySz  (6) 

♦♦♦♦♦; 

10  IF  pred  xSy  THEN  y  ELSE  zsz  (6) 

♦♦♦♦♦REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  zsIF  pred  ysz  THEN  z  ELSE  IF  X 
zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSX 
E  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlFX 
pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSEX 
IF  pred  xSy  THEN  y  ELSE  z-z  BY  5  LOGICTREE  COMPTREE  BY  {  9:10}; 

1 1  IF  IF  pred  xSy  THEN  y  ELSE  zsIF  pred  y<z  THEN  z  ELSE  IF  zsx  THEN  xX 
ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  EX 
LSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zSx  X 
THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  pred  xX 
Sy  THEN  y  ELSE  z-z  (6) 

♦♦♦♦♦REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySZ  THEN  z  ELSE  pred  xSlF  X 
pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  X 
z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zX 
Sx  THEN  x  ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSxX 
THEN  x  ELSE  pred  z  ELSE  IF  pred  xsy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pX 
red  x-IF  ySz  THEN  z  ELSE  x  BY  5  LOGICTREE  C0MPTREE6; 

12  IF  IF  pred  xsy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  xSlF  pred  ySz  TX 
HEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  X 
zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  xsy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  yX 
sz  THEN  z  ELSE  x«IF  IF  pred  xSy  THEN  y  ELSE  ZSIF  pred  ySz  THEN  z  ELSEX 

IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  xX 
ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  X 
ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  X 
ELSE  IF  pred  xsy  THEN  y  ELSE  z-z  (6) 

♦♦♦♦♦TAUT  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  xSlF  preX 
d  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  EX 
LSE  IF  zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zsx  X 
THEN  x  ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  TWX 
EN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  predX 
x-IF  ysz  THEN  z  ELSE  x  11,1* 

13  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  xSlF  pred  ysz  TX 
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HEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  * 
ZSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  yX 
Sz  THEN  z  ELSE  x  (6) 

***«*3|  6st; 

14  ySzsIF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  xSlF  pred  yX 
Sz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSEX 
IF  zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zsx  THEX 

N  x  ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  X 
x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-X 
IF  ySz  THEN  z  ELSE  x 

**«««; 

15  zsx  (4  7) 

«****; 

16  pred  zsx  (4  7) 

****«; 

17  IF  pred  ySz  THEN  z  ELSE  xSx  (4  7) 

****«ASSUME  pred  ySz; 

18  pred  ySz  (18) 

*****ASSUME  Xpred  ySzh 
19 -4pred  ySz)  (19) 

*****REWRITE  T  BY  LOGICTREE; 

20  pred  ySz»FALSE  (19) 

*****REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  pred  XSlF  pred  ySz  THEN  z  ELSX 
E  x  THEN  IF  pred  ysz  THEN  z  ELSE  x  ELSE  x-x  BY  T  8  5  LOGICTREE  COMPX 
TREE  t, 

21  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ysz  THEN  z  ELSE  x  THEN  IX 
F  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  (19) 

*«*«*3|  TTt=>t[ 

22  -(pred  ySz)=>IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ySz  THEN  z  EX 
LSE  x  THEN  IF  pred  ysz  THEN  z  ELSE  x  ELSE  x-x 

****«ASSUME  pred  xSy; 

23  pred  xSy  (23) 
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••♦♦•REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  BY  X 
8  5  LOGICTREE  COMPTREE  t; 

24  IF  IF  pred  xSy  THEN  y  ELSE  pred  xiz  THEN  z  ELSE  x-x  (7  23) 

•»«**3|  TTatj 

25  pred  xSyolF  IF  pred  x$y  THEN  y  ELSE  pred  xsz  THEN  z  ELSE  x-x  (7) 
•••••ASSUME  -(pred  xSy); 

26  -(pred  xSy)  (26) 

•••••REWRITE  t  BY  LOGICTREE; 

27  pred  xiy-FALSE  (26) 

•••••MONADIC  LESS4LESS8  TT  7; 

28  IF  pred  xSz  THEN  z  ELSE  x-x  (7  26) 

•••••REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  BY  X 
TT  8  5  LOGICTREE  COMPTREE  TT; 

29  IF  IF  pred  xSy  THEN  y  ELSE  pred  xiz  THEN  z  ELSE  x-x*IF  pred  xSz  THX 
ENz  ELSE  x-x  (26) 

•••••TAUT  IF  IF  pred  xiy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  28,29; 

30  IF  IF  pred  xSy  THEN  y  ELSE  pred  xiz  THEN  z  ELSE  x-x  (7  26) 

••••»3|  26=>T; 

31  -(pred  xsy)alF  IF  pred  xSy  THEN  y  ELSE  pred  x*z  THEN  z  ELSE  x-x  (X 
7) 

••♦••TAUTEQ  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  25,3 IX 


32  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSz  THEN  z  ELSE  x-x  (7) 

•••••REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSX 
E  x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  BY  8  5  LOGICTREE  COMPTRX 
EE  18; 

33  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  y$z  THEN  z  ELSE  x  THEN  IX 
F  pred  ySz  THEN  z  ELSE  x  ELSE  x-xilF  IF  pred  xSy  THEN  y  ELSE  pred  xSzX 
THEN  z  ELSE  x-x  (18) 

•♦•••TAUT  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  xX 
THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  32,33; 


34  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSiF  pred  ySz  THEN  z  ELSE  x  THEN  IX 
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F  pred  ysz  THEN  2  ELSE  x  ELSE  x-x  (7  18) 

**♦**31  18aT; 

35  pred  ySzsIF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  ySz  THEN  z  ELSE* 
x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  (7) 

*****TAUTEQ  IF  IF  pred  xSy  THEN  y  ELSE  pred  x<lF  pred  ysz  THEN  z  ELSE* 
x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  22,35; 

36  IF  IF  pred  XSy  THEN  y  ELSE  pred  xsIF  pred  ysz  THEN  z  ELSE  x  THEN  I* 

F  pred  ysz  THEN  z  ELSE  x  ELSE  x-x  (7) 

♦♦♦♦♦REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ysz  THEN  z  ELS* 

E  IF  ZSx  THEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  X 
x  ELSE  pred  y  ELSE  IF  IF  pred  yS2  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred* 
ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z* 
ELSE  IF  pred  xSy  THEN  y  ELSE  pred  x-x  BY  8  5  LOGICTREE  COMPTREE  BY* 
{  LESS7, 15:17}; 

37  IF  IF  pred  x<y  THEN  y  ELSE  pred  x<IF  pred  y<z  THEN  z  ELSE  IF  zsx  T* 
HEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pre* 
d  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred* 
zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  pred  z  ELSE  IF  p* 
red  xSy  THEN  y  ELSE  pred  x-x«IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pre* 
d  ySz  THEN  z  ELSE  x  THEN  IF  pred  ySz  THEN  z  ELSE  x  ELSE  x-x  (4  7) 

*****TAUT  IF  IF  pred  xSy  THEN  y  ELSE  pred  x<IF  pred  ySz  THEN  z  ELSE  I* 

F  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  E* 
LSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  yS* 

IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  EL* 

SE  IF  pred  xSy  THEN  y  ELSE  pred  x-x  36,37; 

38  IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zsx  T* 

HEN  x  ELSE  pred  y  THEN  IF  pred  y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pre* 
d  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  ySlF  pred* 
zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pred  z  ELSE  IF  p* 
red  XSy  THEN  y  ELSE  pred  x-x  {4  7) 


♦♦♦♦•REWRITE  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  xSlF  * 
pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  X 
z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  z* 

Sx  THEN  x  ELSE  pred  yS  IF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx* 
THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  p* 


red  x-IF  ysz  THEN  z  ELSE  x  BY  8  5  LOGICTREE  C0MPTREE8; 

39  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  XSlF  pred  ySz  T* 
HEN  z  ELSE  IF  ZSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  * 
ZSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  EL* 
SE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  y* 
Sz  THEN  z  ELSE  x*IF  IF  pred  xSy  THEN  y  ELSE  pred  xSlF  pred  ySz  THEN  z* 
ELSE  IF  ZSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  ZSx  TX 
HEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  * 
pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  pr* 
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ad  z  ELSE  IF  pred  xsy  THEN  y  ELSE  pred  x-x  (7) 

*****TAUT  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  xSlF  preX 
d  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  EX 
LSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  X 
THEN  x  ELSE  pred  ysIF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THX 
EN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred* 
x-IF  ysz  THEN  z  ELSE  x  38,39; 

40  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  xSlF  pred  y<z  T% 
HEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  X 
zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  y<z  THEN  z  ELSE  IF  zsx  THEN  x  X 
ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELK 
SE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  yX 
Sz  THEN  z  ELSE  x  (4  7) 

****«3|  7s  t; 

41  -«ySz>3lF  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  xSlF  preX 

d  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  ysz  THEN  z  EX 
LSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  zSx  X 
THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  THX 
EN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  predX 
x-IF  ydz  THEN  z  ELSE  x  (4) 

*****TAUTEQ  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  xSlF  pX 
red  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  zX 
ELSE  IF  ZSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  ELSE  IF  ZSX 
x  THEN  x  ELSE  pred  ySlF  pred  ZSx  THEN  x  ELSE  pred  z  THEN  IF  pred  zSx  X 
THEN  x  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  prX 
ed  x-IF  ySz  THEN  z  ELSE  x  14,41; 

42  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  xSlF  pred  ySz  TX 
HEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  pred  ySz  THEN  z  ELSE  IF  X 
ZSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  X 
ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  pred  z  THEN  IF  pred  ZSx  THEN  x  ELX 
SE  pred  z  ELSE  IF  pred  xsy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  yX 
Sz  THEN  z  ELSE  x  (4) 

*****REWRITE  IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEX 
N  z  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEX 
N  IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  yX 
Sz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  ZSx  THEN  x  ELSE  IF  xX 
Sy  THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  ELSEX 
pred  z  ELSE  IF  pred  xsy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  xSyX 
THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x  BY  5  LOGICTREE  C0MPTREE5; 

43  IF  xsy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pX 
red  xSlF  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  X 
ELSE  IF  zsx  THEN  x  ELSE  pred  ySlF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  X 
ELSE  pred  z  THEN  IF  pred  zsx  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  ELX 
SE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  xSy  THEN  y  ELX 
SE  IF  ysz  THEN  z  ELSE  x*IF  IF  pred  xSy  THEN  y  ELSE  IF  ySZ  THEN  z  ELSEX 
pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THEN  IF  preX 
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d  ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  X 
z  ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  zsx  THEN  x  ELSE  pred  z  THEN  X 
IF  pred  zsx  THEN  x  ELSE  pred  z  ELSE  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THX 
EN  z  ELSE  pred  x-IF  ysz  THEN  z  ELSE  x  (4) 

*«**TAUT  IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  y<z  THEN  zX 
ELSE  pred  XSlF  pred  y<z  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IX 
F  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  X 
THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  ySlF  pred  z<x  THEN  x  ELSE  IF  xsy  X 
THEN  y  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  IF  x<y  THEN  y  ELSE  prX 
ed  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  xSy  THX 
EN  y  ELSE  IF  ySz  THEN  z  ELSE  x  42,43; 

44  IF  xSy  THEN  y  ELSE  IF  IF  pred  x<y  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pX 
red  xSlF  pred  ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
y<z  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  THEN  z  X 
ELSE  IF  zsx  THEN  x  ELSE  pred  ySlF  pred  z<x  THEN  x  ELSE  IF  xSy  THEN  y  X 
ELSE  pred  z  THEN  «F  pred  z<x  THEN  x  ELSE  IF  xsy  THEN  y  ELSE  pred  z  ELX 
SE  IF  pred  xsy  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pred  x-IF  xSy  THEN  y  ELX 
SE  IF  ysz  THEN  z  ELSE  x  (4) 

***#*d|  4dT; 

45  -(xSy)slF  xsy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  zX 
ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  2<x  THEN  x  ELSE  pred  y  THEN  IX 

F  pred  ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysz  X 
THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y<IF  pred  z<x  THEN  x  ELSE  IF  xsy  X 
THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  prX 
ed  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ysz  THEN  z  ELSE  pred  x-IF  xSy  THX 
EN  y  ELSE  IF  ysz  THEN  z  ELSE  x 

*w*TAUTEQ  IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THENX 
z  ELSE  pred  xSlF  pred  ySz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  THENX 
IF  pred  ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ysX 
z  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y<IF  pred  zSx  THEN  x  ELSE  IF  xSX 
y  THEN  y  ELSE  pred  z  THEN  IF  pred  z<x  THEN  x  ELSE  IF  xSy  THEN  y  ELSE  X 
pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xsy  X 
THEN  y  ELSE  IF  ySz  THEN  z  ELSE  x  3,45; 

46  IF  xsy  THEN  y  ELSE  IF  IF  pred  x<y  THEN  y  ELSE  IF  y<z  THEN  z  ELSE  pX 
red  xSlF  pred  ysz  THEN  z  ELSE  IF  z<x  THEN  x  ELSE  pred  y  THEN  IF  pred  X 
ysz  THEN  z  ELSE  IF  zSx  THEN  x  ELSE  pred  y  ELSE  IF  IF  pred  ySz  THEN  z  X 
ELSE  IF  zSx  THEN  x  ELSE  pred  ySlF  pred  z<x  THEN  x  ELSE  IF  xSy  THEN  y  X 
ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xsy  THEN  y  ELSE  pred  z  ELX 
SE  IF  pred  xsy  THEN  y  ELSE  IF  ySz  THEN  z  ELSE  pred  x-IF  xsy  THEN  y  ELX 
SE  IF  ysz  THEN  z  ELSE  x 

*****REWRITE  tak  1  (x,y ,z)-t akO(x,y ,z)  BY  LOGICTREE  COMPTREE  BY  {  TAKX 
l.TAKO}; 

47  takl(x,y,zMakO(x,y,z)«IF  xSy  THEN  y  ELSE  IF  IF  pred  xSy  THEN  y  EX 
LSE  IF  ysz  THEN  z  ELSE  pred  xSlF  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  EX 
LSE  pred  y  THEN  IF  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  y  ELSX 
E  IF  IF  pred  ysz  THEN  z  ELSE  IF  zsx  THEN  x  ELSE  pred  ySlF  pred  zSx  THX 
EN  x  ELSE  IF  xSy  THEN  y  ELSE  pred  z  THEN  IF  pred  zSx  THEN  x  ELSE  IF  xX 
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Zy  THEN  y  ELSE  pred  z  ELSE  IF  pred  xSy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE* 
pred  x-IF  xsy  THEN  y  ELSE  IF  yiz  THEN  z  ELSE  x 

****<TaUT  takl (x,y  ,z)-t  »kO(x,y(z)  46,47; 

48  tek  1  (x,y,z)-t  •k(Xx,y>z) 

***«*VI  t  x  y  z; 

49  Vx  y  z.tekl(x,y,zW*kO<x,y,z) 
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;  • 


.%v. 


8.  APPENDIX  2;  RAMSEY'S  THEOREM. 


6.1.  Introduction. 


The  following  is  Ramsey's  theorem  for  denumerabiy  infinite  graphs. 

RAMSEY'S  THEOREM:  if  6  is  a  complete,  denumerable  graph  each  of  whose  edges  has 
been  labeled  RED  or  BLACK,  then  there  is  a  complete,  denumerable  sub-graph  of  G  whose 
edges  are  all  of  the  same  color. 

PROOF:  Let  GffJeG.  For  i-1,2 . .  repeat  the  following  process:  pick  a  point 

jr(7)</G(l)/;  if  x(l)  is  connected  to  infinitely  many  points  of  G(l)  by  red  edges  let  G(l+1)  be 
the  set  of  points  of  G(i)  that  are  connected  to  x(t)  by  red  edges  and  label  x(l)  with  RED, 
otherwise  let  G (1+1)  be  the  set  of  points  of  G(l)  that  are  connected  to  x( I )  by  black  edges 
and  label  x(l)  with  BLACK.  We  see  that,  if  G(i)  is  an  infinite  subset  of  G,  so  is  G(i+1 ),  and 
all  points  of  G(!+1)  are  connected  to  x(i )  by  edges  of  the  color  indicated  by  the  label  of 
x(l)i  since  G (1)  is  an  infinite  subset  of  G,  so  is  G (I)  for  all  /.  Now  consider  the  sequence 

x(0),x(1  ),x(2) . .  either  Infinitely  many  x(l)  got  labeled  RED  or  infinitely  many  got 

BLACK.  Those  infinitely  many  x(i)  that  got  the  same  label  form  an  infinite  one-colored  sub¬ 
graph  of  G.  QED. 

Carrying  out  this  proof  in  FOL  or  in  GOAL  is  a  non-trlvial  exercise.  The  first  difficulty  is  at 
the  logical  level:  choosing  the  correct  way  to  express  the  iterative  construction  process 
using  the  axiom  of  choice,  choosing  some  form  of  an  axiom  about  the  existence  of  inductively 
defined  functions,  and  then  bringing  all  these  ends  to  match,  requires  painstaking  attention  to 
detail.  In  1976  I  constructed  a  FOL  proof  in  689  steps.  The  details  and  a  commentary  of  the 
proof  have  been  written  up  elsewhere  [Weyhrauch  et  al.  1970].  This  proof  will  be  referred 
to  as  the  old  proof  through  this  Appendix. 


6.2.  Axioms. 


For  the  GOAL  proof  we  are  using  the  same  axioms  that  were  used  in  the  earlier  proof 
[Weyhrauch  et  al.  1979].  The  rationale  for  this  decision  is  that  in  this  way  the  effectiveness 
of  GOAL  can  be  better  appreciated. 
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8.2.1.  General  Axioms. 


The  following  general  axioms  for  Set  Theory  were  written  by  Weyhrauch.  They  follow  the 
spirit  of  Kelly's  axlomatlzation  in  the  Appendix  to  [Kelley  1955].  The  Individual  constant  X 
stands  for  the  empty  set. 


DECLARE  PREDCONST  (  2[INFJ 

DECLARE  PREDCONST  c  2[INF]j 

DECLARE  PREDCONST  CONN  2[INF],0RD  CARD  NATNUM  l.WOtREUepiFlCONG  2; 
DECLARE  PREDCONST  REL  FNC  1; 

DECLARE  PREDCONST  SET  1; 

DECLARE  PREDPAR 

A  1; 

DECLARE  OPCONST 

u  2[R«-455  L«-450]; 

DECLARE  OPCONST 

DOM,RNG(FNC)-*,MAPS  2,|  2[INFJ 

DECLARE  OPCONST 

MIN, SUP  1  ,CONV(REL)-REL,card(»)-ORDi 

DECLARE  OPCONST 

EXP2  EXP3  1  .CROSS  2,«  2[INFJ 

DECLARE  OPCONST 

P  li 

DECLARE  OPCONST 

INTER  1[R«-1000J; 

DECLARE  OPCONST 

\  2[R<-355,L«-350]; 

DECLARE  OPCONST 

-  1[PREJ; 

DECLARE  OPCONST 

n  2[R«-555  L-550* 

DECLARE  OPCONST 

UNION  1[R«-1000J 

DECLARE  OPCONST 

IMAGEtFNC,*); 

DECLARE  INDCONST 
DECLARE  INDCONST 
DECLARE  INDCONST 

E.ON.ALEPHO.omega; 

V; 

XtSETi 

DECLARE  INOVAR 

a  b  c  d  e  al  bl  cl; 

DECLARE  INDVAR 

u  v  w  x  y  z<SET; 

DECLARE  INDVAR 

r  $  t<REL  f  g  htFNC; 

DEFINE  SET:  Va.(SET(a)*3b.a<b)-,; 

AXIOM  KEXT:  Va  b.(a-b«Vc.(c(aic<b))jj 
AXIOM  KCOMP:  Va.(a<  {b|A(b)}«SET(a)AA{a)te 

DEFINE  SUBSET:  Va  b.(acb»Vc.(c<a:>c<b))s; 
AXIOM  K POWER:  Vx.3y.Va.(a<y«acx)ij 

DEFINE  union:  Va  b.(aub«{c|c<avc<b})s 
AXIOM  Kunion:  Vx  y.SET(xuy)n 

DEFINE  V:  V-{a|a-a}» 

DECLARE  OPCONST  singl  1; 

DEFINE  UNIT:  Va.(singl(a)-{c|a<V/\c-a})s 
DECLARE  OPCONST  pair  2; 
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DEFINE  PAIR:  Va  b.(pair(a,b)«singl(a)usingKb));; 

DECLARE  OPCONST  opair  2; 

DEFINE  OPAIR:  Va  b.(opair(a,b)-pair($ingl<a),pair(a,b)))i; 

DEFINE  TUPLE2:  Va  b.(opair(a,b)«pair(singl(a),pair(a,b)));; 

DECLARE  OPCONST  otriple  3j 

DEFINE  TUPLE3:  Va  b  c.<otriple(a,b,c)=opair(a,opair{b,c)));; 

DEFINE  REL:  Va.(REL(a)sVd.(d<a33b  c.(d=opair<b,c»))j; 

DEFINE  FNC:  Va.(FNC(a)sREL(a)AVb  c  d.(opair(b,c)caAopair(b.dKa3c-d))ji 

DEFINE  IMAGE:  Vf  a.{IMAGE(f,a)={c|3/.(y<aAopair(/1c)<f)});; 

AXIOM  KSUBST:  Vf  y.SET(IMAGE<f,y»;; 

DEFINE  UNION:  Va.(UNI0N(a)»{c|3b.(b<aAc<b)})K 

AXIOM  K  UNION:  Vx.SET(UNI0N<x));; 

DEFINE  EMPTY:  X-{aha-a};; 

DEFINE  inter:  Va  b.(anb«{c|c<aAc<b});; 

AXIOM  REG:  Va.(-a-\33y.(y<aAyna-\));; 

AXIOM  INF:  3x.(MxAVy.(y<x3yU$ingl(y)<x));; 


DEFINE  COMPL: 
DEFINE  DIFF: 
DEFINE  INTER: 
DEFINE  POWER: 
DEFINE  EXP2: 
DEFINE  EXP3: 
DEFINE  CROSS: 
DEFINE  COMPO: 

DEFINE  DOM: 
DEFINE  RNG: 
DEFINE  MAPS: 
DEFINE  RESTR: 
DEFINE  E: 
DEFINE  CONN: 
DEFINE  ORD: 
DEFINE  ON: 
DEFINE  MIN: 
DEFINE  SUP: 
DEFINE  CONV: 
DEFINE  CONG: 
DEFINE  CARD: 
DEFINE  ard: 
DEFINE  “ 

DEFINE  NATNU 
DEFINE  ALEPHO: 
DEFINE  omega: 


Va.(-a-{c|->c<a});; 

Va  b.(a\b=an-b);; 

Va.(INTER(a)-{c|Vb.{b(a3C(b)})ii 

Va.(P(a)-{c|cca})i: 

Va.(EXP2(a)»{c|3x  y.(x<aAy(aAc«opair(x,y»})ii 
Va.(EXP3(a)={c|3x  y  z.(x<aAy<aA2<aAc«otriple(x,y,z))})i; 

Va  b.(CR0SS(a,b)-[c|3d  e.(c-opair<d,e)Ad<aAetb)})« 

Va  b.(a«b- 

{c|3al  bl  cl.(c-opair{al,bl)Aopsir(al/:lK«AOpair(cl,blKb)})B 
Vf.(DOM{f)«{c|3a.opair(c1a)<f})jj 
Vf.(RNG(f)-{c|3a.opair(a,c)(f})ii 
Va  b.(MAPS(a.b)-{f|FNC(f)ADOM(f)-bARNG(f)-a})!i 
Vf  a.(f|a-fnCROSS(a,V));; 

E-{c|3a  b.(c-opair(a,b)Aa<b)}ji 

Vr  a.(r  CONN  a*Vb  c.(b<aAc<a=>opair(b,c)<rvopair(c,b)<rvb-c));5 
Va.(ORD(a)«{E  CONN  a  a  Vb.(b<a^bca)));; 

ON-{c|ORD(c)}ii 

Va.(MIN(a)-INTER(ONua)nUNION(ONna));i 

Va.(SUP(a)-MIN{{c|ONnacc}));; 

Vr.(C0NV(r)-{c|3a  b.(c»opair(a,b)Aopair(b,8Xr)})ji 
Va  b.(C0NG(a.b)«3f.{FNC(f)AFNC(C0NV(f))AD0M(f)-*ARNG(f)-b))» 
Va.(CARD(a)*(a(0NA-3b.(b<aAC0NG(a,b))))ii 
Va.(card(a)-!NTER({c|CARD<c)ACONG(cIa)}))i; 

Vr  a.(r  WO  aa((r  CONN  a)AVb.(bcaA-'b«Xs 

3x.(x<bA-3c.(c<bA-<-xAopair(c,xKr)AVd.(d<a3opair(d,dKr)))))ii 
•r(NATNUM<a)*ORD(a)A<CONV(E)  WO  a));; 

•»HO-{c|NATNUM(c)};; 
oitk.  -{c|NATNUM(c)}ii 
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8.2.2.  Special  axioms. 


The  following  more  advanced  principles  of  Set  Theory  were  also  postulated  for  our  work  on 
this  theorem.  Of  these,  APPLY,  CHOICE,  and  INDUCTDEF  were  taken  from  [Mendelson  1964], 
And  the  axiom  EOGESET  is  simply  a  definition  so  that  Ramsey's  theorem  can  be  stated  in 
suggestive  terms. 


DECLARE  PREDCONST  LT  NATNUM  2  [INF];  COMMENT;  ’LESS  THAN*: 
DECLARE  PREDCONST  DENUM  1; 

DECLARE  OPCONST  SUC  (NATNUM)-NATNUM;  COMMENT:  SUCCESSOR: 

DECLARE  OPCONST  "  2[INF];  COMMENT:  APPLY: 

DECLARE  OPCONST  EDGESET  1; 

DECLARE  INDVAR  G  R  B  aa  bb  cc  dd  ee; 

DECLARE  INDVAR  i  j  kcNATNUM; 

DECLARE  INDVAR  p<FNC; 


AXIOM  INDUCTION:  A(X)AYi.(A{i)3A(SUC(i)))aVi.A(i)H 

AXIOM  APPLY:  Vb  a.((3d.Vc.(d-c«opair(a,cXb)3opair(a,b"a)<b)A 

(-3d.Vc.(d-c«opair(a,c)<b)ob"a-X));; 

AXIOM  INDUCTDEF:  Vx  a.3c.Vb.(c-b  «  FNC(b)ADOM(b)-omegaAb"X-x 

AVi.(b"SUC(i)-a-(b"i)))» 

AXIOM  CH0ICE:Vx.3f.Va.(acxA-.a-X3fa<a);i 

AXIOM  EDGESET:  Vb.(EDGESET(b)-{a|3c  d.(c<bAd<bA-c-dAa-pair(c,d))})n 
AXIOM  DENUM:Va.(DENUM(a)«CONG(omega,a))ij 
AXIOM  SUC:  Vi.-X-SUC(i),Vi  j.(SUC(i)-SUC(j)oi-j);; 


8.2.3.  Auxiliary  lemmas. 


The  following  auxiliary  lemmas  are  a  subset  of  those  that  were  postulated  for  the  earlier 
proof  [Weyhrauch  et  al.  1979].  The  first  three  concern  the  relation  /ess  than  (LT). 
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AXIOM  LESS2:  Vi  j.<-i-j«i  LT  j  v  j  LT  i);; 
AXIOM  LESS4:  Vi.-i  LT  X;; 

AXIOM  LESS7:  Vi  j.(i  LT  SUC(j)*i-jvi  LT  j);; 


MG  SET;s{NATNUM}; 

MG  REL^{FNC}i 

AXIOM  AUX1:  Va.(DENUM<a)3SET(a))i; 

AXIOM  AUX2:  Va.(aca);; 

AXIOM  AUX3:  Va.(DENUM(a)3-a«\);i 
AXIOM  AUX4:  Va  b.(a<b=SET(a));; 

AXIOM  AUX5:  Va  b.<SET(opair(a,b))i$ET(a)ASET<b»;; 

AXIOM  AUX6:  Va  b  c.(a<(buc)*a<bva(c);; 

AXIOM  AUX9:  Va  b.(DENUM<a)3D£NUM<a\singl(b)>)s 
AXIOM  AUX10:  Va  b.(DENUM(aUb)aDENUM(a)vDENUM(b))s 
AXIOM  AUX1 1:  Vx  b  c.(cC(b\singl(x»*c<bA-«c-x);; 

AXIOM  AUX12:  Va  b  c.(pair(a,bKEDGESET(e)*a(cAb<CA-a-b)ji 
AXIOM  AUX13:  Va  b  c  d.(opair(a,b)-opair(c,d)*a-cAb-d)» 
AXIOM  AUX18:  Va  b.tacbaanb-a);; 

AXIOM  AUX20:Va  b.(anbcaAanbeb);; 

AXIOM  AUX22:  Va  b.(anb-bna);; 

AXIOM  AUX23:  Va  b  c.iacbAbccaacc);; 

AXIOM  AUX24:  Va  b.(pair(a,b)=pair(b,a));; 

AXIOM  AUX25:  Va  b  c.(a<bnc*a<bAa<c);; 

AXIOM  AUX27:Va  b  c  d.(opair{a,b)-opair(c,d)*a-CAb-d>;; 
AXIOM  AUX28:  Va  b  c.(a<bAbcC3a<c);i 
AXIOM  AUX29:  Va  b.(a\bca);; 

AXIOM  AUX30:  DEIMUM(omega);; 

AXIOM  AUX34:Va  b.<DENUM(a)ACONG{a,b)=DENUM(b)b 
AXIOM  AUX35:  Va  b.(acaubAbcaub);; 


8.3.  Proofs  of  some  auxiliary  theorems. 


The  first  184  lines  of  the  earlier  proof  [Weyiirauch  et  al.  1979]  proved  several  set 
theoretic  facts.  For  the  GOAL  proof  we  have  used  a  subset  of  these.  In  this  section  we  shall 
show  an  independent  proof  of  those.  Later  they  will  be  postulated  for  the  main  proof. 

The  total  number  of  commands  used  in  the  following  proofs  Is  39:  this  figure  includes  both 
the  forward  proof  steps  using  FOL  commands  and  the  calls  to  TRY.  If  we  add  the  commands 
that  create  the  goals,  that  is  five  instances  of  the  GOAL  command,  then  we  come  to  a  total  of 
44.  In  the  old  proof,  this  same  set  of  facts  required  184  lines.  Thus  we  achieve  a  fourfold 
reduction  in  the  number  of  commands,  for  this  particular  set  of  lemmas. 
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8.3.1.  Restriction  of  a  function. 


The  first  lemma  says  that  the  restriction  of  a  function  is  again  a  function.  The  oki  proof 
required  27  tinea.  The  following  GOAL  proof  uses  only  eight  Instances  of  the  TRY  command, 
and  generates  a  FOL  proof  of  27  lines. 


*****G0AL  Vf  a.FNC(f  |  a)j 

Goal  el:  Vf  a.FNC(f  j  a) 

****»TRY  USING  REWRITE  BY  {RESTR}; 

Goal  el  el:  Vf  a.FNC(fnCROSS(a,V)) 

*****TRY  USING  VI  al  a; 

Goal  elelel:  FNC(a  1  )=>FNC(a  1  nCR0SS{a,V)) 

*****TRY  USING  REWRITE  BY  {FNC  REL  AUX25}; 

Goal  elelelel:  (Vd.(d<als3b  c.d-opair(b,c))AVb  c  d.((opair(b,ckalAotf 
pair(b,dKal)3C-d))3(Vd.((d<alAd<CR0SS(a,V))a3b  c.d-opair<b,c))AVb  c  % 
d.(((opair(b,cKalAOpair(b1c)<CROSS(a1V))A(opair(bId)<alAopair{b,dKCX 
R0SS(a,V)))3c»d)) 

*****TRY  USING  ELIMINATION  DEPTH  4; 

Goal  el  elelelel:  Vd.((d<alAd<CR0SS(a,V))D3b  c.d-opair(b,c»AVb  c  d.(X 

((opair(blckalAopair(blckCROSS(a,V)}A(opair(bldkalAopair(b,d)(CROS% 

S(a,V)))3c-d) 

1  Vd.(d<alo3b  c.d-opair(b,c»AVb  c  d.((opair(b,ckalAopair(b,d)<al)3c% 
-d)  (1) 

2  Vb  c  d.((opair(b,ekalAopair(b,dkal)3c-d)  (1) 

3  Vd.(d<al^3b  c.d-opair(b.c))  (1) 

Goal  elelelelelel:  Vd.((d<al  Ad<CR0SS(a,V))=3b  c.d-opair{b,c)) 

Goal  elelelelele2:  Vb  c  d.(((opair(b,ckalAopair(b,cKCROSS(a,V))A{oX 
pairfb.dka  1  Aopair(b,d)<CR0SS(a1V)))3C-d) 

Goal  elelelelelelel;  (d<alAd<CR0SS(a,V))o3b  c.d»opair(b,c) 

Goal  elelelelelelelel:  3b  c.d«opair{b,c) 

Goal  elelelelele2el:  «opair(b,cK a  1  Aopair{b,cXCRO$S(a,V)Mopair(bX 
,dk  a  1  Aopair(b,dkCROSS(a,V)»oc»d 
Goal  elelelelele2elel:  c-d 

*****TRY  USING  IMPLICATION; 

4  (opair(b^kalAopair(b,c)<CROSS(a,V))A(opair(b,dkalAopair(b,dkCROX 
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$S(«,V)>  (4) 

5  opair(b,dKCROS$(a,V)  (4) 

6  opair(b,dXal  (4) 

7  opair(b,ckCROSS(a,V)  (4) 

8  opair(b,cXal  (4) 

Goaf  opaiKb.ckalAopairfb.dXal 

*****TRY  USING  TAUT} 

9  op»ir(b,cK  a  1  Aopair(b,dK  a  1  (1  4) 

RESOLVE  (opair(b^)<alAopair(b,dXal)3c»d ,  opair(bIcXalAOpair(bIdX% 
al  -♦-*  c-d 

10  c-d  (1  4) 

11  ((opair(b,c)<alAopair(b(c)<CROSS<a>V))A(opair(b,dXalAopair(b,d)<Ct 
ROSS(a,V)))sc-d  (1) 

12  Vb  c  d.(((opair(b,cXalAopair(b,c)<CROSS(a,V»A(opair(b(dXalAopai% 
r<b,dXCR0SS(a,V)))3c-d)  (1) 

*****TRV  USING  IMPLICATION; 

13  d<  a  1  Ad<CROSS(a,V)  (13) 

14  d<CROSS(a,V)  (13) 

15  d<al  (13) 

Goal  alttlalalttlalalalal:  d<al 
*****TRY  USING  TAUT} 

16  d<al  (1  13) 

RESOLVE  d<al»3b  c.d-opair(b,c) ,  deal  -*-*  3b  c.d-opair(b,c) 

17  3b  c.d-opair(b.c)  (1  13) 

18  (d<alAd<CR0SS(a,V))o3b  c.d-opair(b,c)  (1) 

19  Vd.((d< a  1  Ad<CR0SS(a,V))o3b  c.d-opair(b,c))  (1) 

20  Vd.((d<alAd<CR0SS(a,V))p3b  c.d-opair(b,c))AYb  c  d.(((opair(b,cXalX 
Aopair(b^XCROSS(a,V))A(opair(bld)<aiAopair(bIdXCROSS(a,V)))oc-d)  X 
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21  (Vd.(d<al=>3b  c.d«opair(b,c))AVb  c  d.((opair(b,cXalAopair(b,dXal)X 
3c-d))s<Vd.{(d<alAd<CR0SS<a,V))33b  c.d-opair(b,c))AVb  c  d.(((opair(b,X 
cXalAopair(b,cHCROSS(aIV))A(opair(b,dXalAopair(b,dXCROSS(aIV)))3c% 
«d)) 

22  (FNC(a  1  X»FNC(a  1  nCRO$S(a,V)))«((Vd.(d<a  1  s3b  c.d-opair(b,c»AVb  e  d.X 
((opair(b,cXalAOpair(b,dXal)3c-d))3(Vd.((d<alAd<CR0SS(a,V))33b  c.d-% 
opair(b,c))AVb  c  d.«(opair(b,c)falAopair(b,cXCROSS(a,V))A(epair(b,dX 
Hal  Aopair(b,dXCR0SS(a,V)))3c-d))) 

23  FNC(al)sFNC(alnCROSS(a,V)) 

24  Vf  a.(FNC(f)=>FNC(fnCROSS(a,V))) 

25  Vf  a.FNC<fnCROSS(a,V)) 

26  Vf  a.FNC(f  f  a)*Vf  a.FNC<fnCRO$$<a,V)) 

27  Vf  a.FNC(f  |  a) 

***** 


8.3.2.  Domain  of  the  restriction. 


The  next  lemma  says  that  if  we  restrict  a  function  to  a  subset  of  Its  domain,  the  domain 
of  the  restriction  is  equal  to  that  subset.  The  GOAL  proof  takes  nine  instanoes  of  TRY,  one 
call  to  the  QED  command,  plus  four  forward  proving  commands:  two  universal  specializations, 
one  call  to  RESOLVE  and  one  to  REWRITE.  The  old  proof  was  in  64  lines. 


*****G0Al  Vf  a.(acD0M(f)3DCMf  |  a)-a); 

Goal  «2:  Vf  a.(acD0M(f)oD0M<f  |  a)-a) 

*****TRY  USING  REWRITE  BY  {SUBSET  KEXT}; 

Goal  *2*1:  Vf  a.(Vc.(c<aoc<DOM(f))oVc.(c<DOM(f  |  a).c(a)) 

****#VE  DOM  f  |  a; 

28  FNC(f  |  a)oD0M(f  |  a)-{cPal.opair<c,alK<f  |  a)} 

*****RES0LVE  t  L41i 

RESOLVE  FNC(f  |  a)=«D0M<f  |  a)-{c|3al.opair(c,alX«  |  a)} ,  Vf  a.FNC<% 
f  |  a)  -*-♦  D0M(f  I  a)-{cj3alopair(c,alX(f  I  a)} 
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29  OCMf  |  a)-{c|3al.opair(c,alX(f  |  a)} 

*****TRY  USING  REWRITE  BY  {  T  AUX5  AUX13  AUX25  V  CROSS  SET  DOM  RESTRJi 

Goal  Vf  a2.(Vc.(cCa2=>(3b.c<bA3a.opair(c1aXf))3Vc.((3b.c<bA3X 

a  1  .(opair(c,a  l  Xf A((3b.ccbA3b.a  i<b)A3d  e.(<c«dAa  1  -eWd<a2  A3b.e<b)))X 
Xc<a2)) 

*****TRY  USING  ELIMINATION  DEPTH  8‘, 

Goal  s2«  1  •  1 « 1 :  Vc.(c<a2=>{3b.c< bA3a.opair(c,aXf))=>Ye.((3b.cCbA3a  1  .(o% 
pair(c,alXfA((3b.ccbA3b.alcb)A3d  e.((c-dAal-e)A(d(a2A3b.eCb)))))«cCaX 
2) 

Goal  «2*1«1*1*1:  Vc.{(3b.cC b A3a  1  .{op air(c,a  1 X I A((3b.cCbA3b.a  1  cb)A3dX 
e.((c-dAal-e)A(d<a2A3b.e<b)))))*c(a2) 

30  Vc.(c<a23(3b.c<bA3a.opair(c,aXD)  (30) 

Goal  *2*1«1*1«1#1:  (3b.ccbA3al.(opair{c,alXfA((3b.c<bA3b.alcb)A3d  eX 
.((c-dAa  1  -e)A(d<  a2A3b.ec  b))))Xc<  a  2 

Goal  (3b.c<bA3al.{opair{c,alXfA((3b.c<bA3b.al<b)A3dX 

e.((c«dAa  1  -e)A(dc  a2A3b.eC  b)))))=>cc  a2 

Goal  *2« **2:  cCa2=>(3b.cCbA3a l.(opair(c,a  1  Xf A((3b.cCbA3b.a  1<X 
b)A3d  e.({c«dAal«>e)A(dCa2A3b.eCb))))) 

Goal  «2*1«1*1*1*1*1*1:  cca2 

Goal  e2«*  1  a  1 » 1 » 1 « 1  «2*  1 :  3b.ec b A3a  1  .(opair(c,a  1  XI  A((3b.c<bA3b.a lCb)A3X 
d  e.((c-dAal-e)A(dCa2A3b.eCb)») 

31  c<a2  (31) 

RESOLVE  c<a2a(3b.ccbA3a.opair(c(aXf) ,  cca2  -♦-*  3b.ccbA3a.opair(c,aX* 

f 

32  3b.cCbA3a.opair(c,aXf  (30  31) 

33  3a.opair(c,aXf  (30  31) 

34  3b.c<b  (30  31) 

Goal  »2«lel»lalel*2*l«li  3b.cCb 

Goal  *2*lal*l«l«l*2«l«2:  3al.(opair(c,alXfA((3b.ecbA3b.al<b)A3d  e.(X 
(c-dAal  -e)A(dCa2A3b.ecb)))) 

Goal  «2«1«1«1»1«1»2»1«1»1:  ceb 

Goal  tt2*l«l»l«lal*2*l«2»l:  0pair(c,alXfA((3b.cCbA3b.al<b)A3d  e.((c-X 
dAa  1 -e)A(d<a2A3b.ecb») 

Goal  «2«lttl«l«l«l«2ala2al»l:  opair(c,alXf 

Goal  «2elelslslele2*ls2sls2:  (3b.cCbA3b.al(b)A3d  e.((c-dAal«e)A(d<a2X 
A3b.e<b)) 

*****QE0  •2«l«l*lal*l*2al*l  34; 

*****TRY  e2ttlslelsl«ltt2»ls2*l»l  USING  UNIFY  33; 

35  3sl.opair(c,alXf  <30  31) 

36  opair(c,slXf  (36) 
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•••♦•REWRITE  AUX5  BY  {SET}; 

3  substitutions  were  mads 

37  Va  bl.(3b.opair(a,blXb«(3b.a<bA3b.bl<b)) 

•****VE  t  c  al; 

38  3b.opair(c,alXb*(3b.c<bA3b.al<b) 

»****TRY  *2*1*1*1*1*1*2»1*2*1«2  USING  Al; 

Goal  *2*1*1»1«1«1*2«1*2»1«2*1:  3b.c<bA3b.al<b 

Goal  3d  e.«c-dAal-sWcka2A3b.®<b)) 

«***«TRY  1  USING  MONADIC  36  38; 

39  3b.c<bA3b.al<b  (36) 

•••••TRY  USING  MONADIC  31  T; 

40  3b.al(b  (36) 

41  3b.c<b  (30  31) 

42  3d  s.((c-dAal-s)A(d«a2A3b.e<b))  (31  36) 

43  (3b.c<bA3b.al<b)/\3d  e.((c-dAal-®Wd<a2A3b.e<b))  (31  36) 

44  opair(c,alXfA((3b.c(bA3b.al<b)A3d  e.((c-dAal-a)A(d?a2A3b,a<b)))  % 
(31  36) 

45  3al.(opair(c,al)<fA((3b.c<bA3b.al<b)A3d  a.((c-dAal-s)A(d<a2A3b.s«M£ 
))))  (30  31) 

46  3b.c(bA3al.(opair(c,alXfA({3b.c<bA3b.al<b)A3d  s.((c»dAal«e)A(d<a2t 
A3b.e<b))))  (30  31) 

47  c<a2^(3b.c<bA3al.(opair(c>alXfA((3b.c<bA3b.al<b)A3d  a.((c-dAal«a)X 
A(d<a2A3b.e<b)))))  (30) 

•••••TRY  USING  LOGIC; 

48  3b.c<bA3al.(opair(clalXfA((3b.c(bA3b.al<b)A3d  e.((c-dAal-aMd<a2* 
A3b.e<b))))  (48) 

49  3al.(opair(clalXfA((3b.c<bA3b.al<b)A3d  a.((c -dAa  1  -a )A(d<  «2A3b.e<  b% 
))))  (48) 

50  3b.c(b  (48) 

51  3al  d  s.((c-dAal-s)A(d(a2A3bs<b))  (48) 
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52  3a  1  b.altb  (48) 

53  3a  1  b.c<b  (48) 

54  3al.opair(c,alKf  (48) 

55  3a  1  d  e  b.e<b  (48) 

56  3al  d  e.d(a2  (48) 

57  3a  1  d  e.al-e  (48) 

58  3a  1  d  e.c-d  (48) 

We  have  a  failqueue  of  length:  1 

Starting  a  new  2-th  pass  on  new  queue  of  length:  1 

We  have  a  failqueue  of  length:  1 

Failure:  can't  prove  anything  on  failqueue. 

The  tactic  LOGIC  can't  be  applied  to  goal 
Goal  c<a2 

IMPVL:  48  3b.c<bA3al.(opair(c,alXfA((3b.c<bA3b.al<b)A3d  e.((X 
c-dAa  1  -e)A(d<a2A3b.e<b))» 

FACTS:  30  Vc.(c<a2o(3b.c<bA3a.opair(c,aXf)) 

55  3a  1  d  e  b.ecb 

56  3a  1  d  e.d<a2 

57  3a  1  d  e.al-e 

58  3a  1  d  e.c*d 

51  3a  1  d  e.((c-dAal-e)A(d£a2A3b.e<b)) 

52  3a  1  b.aKb 

53  3a  1  b.c<b 

54  3al.opair(c,alXf 

49  3al.(opair(c,alXfA((3b.c<bA3b.al£b)A3d  e.((c-dAal«e)A5C 
(d<a2A3b.e<b)))) 

50  3b.c<b 

47  c<a2=(3b.c<bA3al.(opair(c,alXfA((3b.c<bA3b.al<b)A3d  e% 
.((c**dAal«e)A(d<a2A3b.e<b))))) 

48  3b.c£bA3al.(opair(c,alXfA((3b.c(bA3b.al(b)A3d  e.((C“dX 
Aa  1  -e  )A(dc  a2  A3b.e(  b)))) 

Simpsets:  (  BY  LOGICTREE  COMPTREE) 

Quantelimlist:  ((c  V)  (a2  V)  (f  V)) 

*****TRY  USING  MONADIC  51; 

59  c<a2  (48) 

60  (3b.c<bA3al.(opair(c,alKfA«3b.c<bA3b.al<b)A3d  e.((c-dAal-e)A(d<aX 
2A3b.e<b)))))oc<a2 

6 1  (3b.c<bA3a l.(opair(c,al Xf A((3b.c<bA3b.a l£b)A3d  e. ((c-dAa  1  -e)A(d<aX 
2A3b.e<b)))))«c<a2  (30) 

62  Vc.((3b.c<bA3al.(opair(c,alXfA{(3b.c£bA3b.al(b)A3d  e.((c-dAal-e)AX 
(d«  a2 A3b.e£b)))))»c<  a2)  (30) 
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63  Vc.(c<a2=(3b.c<bA3a.opair(c)aKf))=Vc.U3b.c<bA3al.(opair(c,*lKfAX 

<(3b.c«bA3b.al(b)A3d  e.«c-dAa  1  -e>A<d<a2/\3b.e<b)))))ac< a2) 

64  Vf  a2.(Vc.(c<a23Gb.c<bA3a.opair(c,aXf))=Vc.((3b.c(bA3al.(opair(e* 

,a  1  Kf  A((3b.c<bA3b.a  1  <b)A3d  e.((c*dAa  1  -a)A(d<a2A3b.e<b)))))«cfa2)) 

65  Vf  a.(  Vc.(c< asc< DOM(f  ))s  Vc.(c< 00M( f  |  a)«c<a))»Vf  a2.(Vc.(c<a2o<3bX 
.c<bA3a.opair(c,aKf))3Vc.{(3b.c(bA3al.{opair(c,al)<fA({3b.c<bA3b.al<K 
b )A3d  e.((c«dAa  1  -eWd< a2A3b.e< b)))))*c< a2)) 

66  Vf  a.(Vc.<c<aoc<00M<f))3Vc.<c<00M(f  |  a)«c<a)) 

67  Vf  a.(ac[X3M(f)3D0M(f  |  a)-a)«Vf  a.(Vc.(ctaoctDOMf))^Vc.(c(DOM(f  I* 
a)ac(a)) 

68  Vf  a.<acCXMf)=>DOM(f  |  a)-a) 

***** 


8.3.3.  Restriction  of  a  one-to-one  function. 


The  next  lemma  states  (In  somewhat  different  terms)  that  the  restriction  of  an  one-to-one 
function  is  again  one-to-one.  The  old  proof  took  68  steps.  The  following  one  requires  six  calls 
to  TRY,  one  to  RETRY,  two  calls  to  QED,  and  the  following  four  forward  commands  from  FOL: 
two  universal  specializations,  one  REWRITE,  and  one  call  to  TAUT.  A  total  of  13  commands 
instead  68. 


*****GOAL  Vf  a.(FNC(C0NV{f))3FNC(C0NV(f  |  a»)i 
Goal  «3:  Vf  a.(FNC(CONV{f»3FNC(CONV(f  |  a))) 

*«***VE  CONV  f  |  aj 

54  REL(f  |  a)=CONV(f  |  a)-{c|3al  b.(c-opair(al,b)Aopair(b,alH«  |  a)% 

)) 

*****REWRITE  141  BY  {FNC}i 
1  substitutions  were  made 

55  Vf  a.(REUf  |  a)AVb  c  d.((opair(b,cK(f  |  a)AOpair<b,dX(f  |  a)pc% 
■d)) 

**»**VE  t  f  a; 

56  REL(f  I  a)AVb  c  d.((opair(b,cX(f  |  a)Aopair<b,dX(f  I  «)>=c-d) 
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**#**TAUT  :#2  ,Tj 

57  CONV(f  |  a)-{c|3al  b.(c-opair(al,b)Aopair(b.alK(f  |  a))} 

$***$TRY  USING  REWRITE  BY  {  T  FNC  REL  CONV  RESTR  AUX13  AUX25}{ 

Goal  *3#1:  Vf  a2.«Vd.((S£T(d)A3a  b.(d-opair(a,b)Aopair(b,aX<))=>3b  X 
c.d-opair(b,c))AVbl  c  d.(((SET(opair(bl,c))A3a  b.((bl«aAc«b>Aopair(b,X 
a)<f))A(SET{opair(bl,d))A3a  b.{(bl-aAd-b)Aopair{b,a)(f)))3c-d))3(Vd.0£ 
(SET(d)A3a  1  b.(d»opair(a  1  ,b)A(opai  r(b,a  1  )<f  Aopair(b,a  1  XCR0SS(a2,V)))X 
)»3b  c.d-opair(b,c))AVbl  c  d.(«SET(opair(bl,c))A3al  b.{{bl«alAc«bM% 
opair(b,al)(fAopair(b,al)(CROSS(a2,V))))A(SET{opair(bl.d))A3al  b.((blX 
-a  1  Ad-b)A(opair(b,a  1  X<  AOpair(b,a  1  )<CR0SS(a2,V)))>)ac-d))) 

*****TRY  USING  ELIMINATION  DEPTH  5s 

Goal  (Vd.((SET(d)A3a  b.{d“Opair{a,b)Aopair(b,aXf)):>3b  c.d-oX 

pair(b,c))AVbl  c  d.M(SET(opaii'(bl,c))A3a  b.((bl-aAc-b)Aopair(b,a)(f)X 
)A(SET(opair(bl,d))A3a  b.(<bl=aAd«b)Aopair(b,aXf)))=>c-d)):><Vd.<(SET(X 
d)A3al  b.(d«opair(al>b)A(opair(btal)<fAopalr(b>ai)<CR0SS(a2>V))))33b  X 
c.d«opair(b,c))AVbl  c  d.(((SET(opair(bl,c))A3al  b.((bl-alAc«bWopairX 
(b,a  1  )<  f  Aopair(b,a  1  XCROS$(a2,V)))WSET<opair<b  1  ,d)>A3a  1  b.({b  1  -a  1  Ad% 
-b)A(opair(b,alXfAopair(b,alXCROSS(a2,V)))))3c«d)) 

Goal  «3*1«1«1:  Vd.((SET(d)A3al  b.(d-opair(a  1  ,b)A(opair(b,a  l)<f  AopairX 
(b,alKCROSS(a2,V))))o3b  c.d-opair(b,c))AVbl  c  d.«(S£T(opair(bl,c))AX 
3a  1  b.((bl-al  Ac«b)A(opair(b,a  1  )<f  Aopair(b,a  1  XCR0SS(a2,V))))A(SET(opaX 
ir(b  1  ,d))A3a  1  b.«b  1  -a  1  Ad«b)A(opair(b,a  1 X  f  Aopair(b,a  1  XCROSS(a2,V)))% 
»c-d) 

58  Vd.((SET(d)A3a  b.(d-opair(a,b)Aopair(b,aXf))33b  c.d«opair(b,c))AYX 
bl  c  d.(«SET(opair(bl,c))A3a  b.((bl-aAc-b)Aopair(b,aXO)A(SET(opairX 
(bl,d))A3a  b.((bl-aAd-b)Aopair(b,aXf)))3c-d)  (58) 

59  Vbl  c  d.(((SET(opair(bl,c))A3a  b.«bl-aAC-b)Aopair(b,aXf»A(SET(oX 
pair(bl,d»A3a  b.((bl-aAd-b)Aopair(b,aXf)))3c»d)  (58) 

60  Vd.((SET(d)A3a  b.(d-opair(a,b)Aopair(b,aXf»:>3b  c.d-opair(b,c))  X 
(58) 

Goal  e3elelelelt  Vd.((SET(d)A3al  b.(d-opair(al,b)A(opair(b,alXfAopaX 
ir(b,alXCR0SS(a2,V))))33b  c.d-opair(b.c)) 

Goal  *3»1«1*1*2:  Vbl  c  d.(((SET(opair(bl,c))A3al  b.((bl-alAc-b)A(opaX 
ir(b,a  1 X  f  Aopair(b,a  1  XCROSS(a2,V))))A(SET(opair(b  1  ,d))A3a  1  b.«b  1  -a  1 X 
Ad-b)A(opair(b,a  1 X  f  Aopair(b,a  1  XCR0SS(a2,V)))))oe-d> 

Goal  «3<*l«lal*l»l:  (SET(d)A3al  b.(d-opair(al,b)A(opair(b,alXfAopairX 
(b.alXCR0SS(a2,V))))o3b  c.d-opair(b.c) 

Goal  «3«l»lal*l*l#l:  3b  c.d-opair(b.c) 

Goal  e3slelels2el:  ((SET(opair(bl,c))A3al  b.((bl-alAc-bWopair(b,alX 
X  f  Aopair(b,a  1  XCR0SS(a2,V))))A(SET(opair(b  1  ,d))A3a  1  b.((b  1  -a  1  Ad-bWX 
opair(b,a  1  Xf  Aopair(b,a  1  XCR0SS(a2,V)))))oc-d 
Goal  »3»lelele2»l«l:  c-d 

««***RETRY  a3elelalal  USING  MONADIC; 

Goal  a3«lalal«l:  Vd.((SET(d)A3a  1  b.(d-opair(al,b)A<opair(b,alXlAopa% 
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ir(b,alXCROSS(a2,V))))o3b  c.d-opair(b,c))  abandoned 

6 1  Vd.«$ET(d)A3a  1  b.(d-opair(a  1  ,b)A(opair(b,a  1  Hi  Aopair(b,a  1 XCROSSOC 
a2,V))»o3b  c.d-opair(b,c)) 


*»***TRY  USING  IMPLICATION; 

62  (SET(opair(b  1  ,c))A3a  1  b.((b  1  -a  1  Ac-b)A(opair(b,a  1  Xf Aopair(b,a  1  XCR* 
OSS(a2,V))))A(SET{opair(bl,d))A3al  b.((bl-alAd-bWopair<b,alXfAOpaiX 
r(b,alXCROSS(a2,V))»  (62) 

63  3al  b.((bl-alAd-b)A(opair(b,al)(fAopair(b,alXCROSS(a2,V)))  (62) 

64  SET(opair(bl,d))  (62) 

65  3a  1  b.((bl-alAc-b)A(opair(b,alXfAopair(b,alXCROSS(a2,V)))  (62) 

66  SET(opair(bl.c))  (62) 

67  3a  1  b.opair(b,alXCROSS(a2,V)  (62) 

68  3al  b.opair(b,alXf  (62) 

69  3a  1  b.c-b  (62) 

70  3a  1  b.bl-al  (62) 

71  3al  b.opair(b,alXCROSS(a2.V)  (62) 

72  3a  1  b.opair(b,alXf  (62) 

73  3a  1  b.d-b  (62) 

74  3al  b.bl-al  (62) 

Goal  •3alal»l«2alal«l:  (SET(opair(bl,c))A3a  b.((b  1  -aAc-b)Aopair(b,a)X 
(f))A(SET(opair(bl.d))A3a  b.((bl-aAd-b)Aopair(b,aXt)> 

*****TRY  USING  ELIMINATION  DEPTH  2; 

Goal  «3ttlalal*2«lalal«l;  SET(opair(bl,c»A3a  b.((bl-aAc»b)Aopair(b,a< 
Xf) 

Goal  »3«lalal«2alalal«2:  SET(opair(bl,d))A3a  b.((bl»aAd-b)AOpair(b,aX 
Xf) 

Goal  a3al*lala2«l«lalalal:  SET(opair(bl,c)) 

Goal  a3«lal*l«2*l*lalal*2:  3a  b.((bl-aAc-b)Aopair{b,aXf) 

Goal  «3«lalal«2al«lal»2«l:  SET(opair(bl,d)) 

Goal  •3al«l«l»2alalala2a2:  3a  b.((bl-aAd-b)A©pair(b,aXf> 

****#TRY  USING  MONADIC  63; 

75  3a  b.((bl*aAd*b)Aopair(b,aXf)  (62) 
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*****TRY  *3«l»l«l»2»lttl*l*l«2  USING  MONADIC  65; 

76  3s  b.((bl-8Ac-b)AOpair(b,aXf)  (62) 

*****QED  »3elelel«2slsl«lslsl  66; 

77  SET(opair(bl,c)}A3a  b.((bl-aAc«b)Aopair(b,aXf)  (62) 

«***«QED  64; 

78  SET(opair(bl,d))A3a  b.((bl-aAd«b)Aopair(b,aXf)  (62) 

79  (SET(opair(bl,c))A3a  b.((bl-aAc-b)Aopair(b,aXf))A(SET(opair(bl,d)% 
)A3a  b.((bl-aAd«b)Aopair(b,a)<f))  (62) 

RESOLVE  ((SET(opair(bl,c))A3a  b.((bl-aAc-b)Aopair(b,aXf))A(SET(opairX 
(bl,d))A3a  b.((bl-aAd-b)Aopair(b,a)(f)))=c-d  ,  (SET(opair(bl,c))A3a  bX 
.((bl-aAc-b)Aopair(b,aKf))A(SET(opair(bl,d))A3a  b.((bl-aAd-b)Aopair(X 
b.aKO)  c-d 

80  c-d  (58  62) 

81  ((SET(opair(b  1  ,c))A3a  1  b.((b  1  -a  1  Ac«b)A(opair(b,a  1  X  f  Aopair(b,a  1  XCX 
R0SS(a2,V))))A(SET(opair(b  1  ,d))A3a  1  b.((b  1  -a  1  Ad-b)A(opair(b,a  1  Xf  AopaX 
ir(b,alKCR0SS(a2,V)))))3c-d  (58) 

82  Vbl  c  d.(((SET(opair(bl,c))A3al  b.((bl-alAc-b)A(opair(b,al)<fAopaiX 
r(b,a  1  KCROSS(a2.V))))A(SET(opair(b  1  ,d))A3a  1  b.((b  1  -a  1  Ad-b)A(opair(b,X 
a  1 X f Aopair(b,a lXCR0SS(a2,V)))))=>c-d)  (58) 

83  Vd.«SET(d)A3a  1  b.(d«opair(a  1  .b)A(opair(b,a  1  )<f Aopair(b,a  1  )<CROSS(X 
a2,V)))X>3b  c.d-opair(b,c))AVbl  c  d.(«SET(opair(bl,c))A3al  b.((bl-alX 

Ac«b)A(opair(b,alXfAopair(b,alXCROSS(a2,V))))A(SET(opair(bl,d))A3al% 

b.((b  1  -a  1  Ad-b)A(opair(b,a  1  Xf Aopair(b,a  1  )cCR0SS(a2,V)))»=>c«d)  (58) 

84  (Vd.((SET(d)A3a  b.(d«opair(a,b)Aopair(b,a)<f)):>3b  c.d-opair(b,c))AX 
Vbl  c  d.(((SET(opair(bl,c))A3a  b.((bl-aAc-b)Aopair(b,aXf))A(SET<opaiX 
r(bl,d))A3a  b.((bl-aAd-b)Aopair(b,a)<f)))=>c-d))=>{Vd.{($ET(d)A3al  b.(dX 
-opair(al,b)A(opair(b,alXfAopair(b,al)(CROSS(a2,V))))33b  c.d-opair(bX 
,c))AVbl  c  d.(((SET(opair(bl,c))A3al  b.((bl-alAc-b)A(opair(b,alXfAopX 
air(b,a  1  XCROSS(a2,V))))A($ET(opair(b  1  ,d))A3a  1  b.((b  1  -a  1  Ad-b)A(opair(X 
b,al  Xf  A0pair(b,a  1  XCR0SS(a2,V)))))oc-d)) 

85  Vf  a2.((Vd.((SET(d)A3a  b.(d«opair(a,b)Aopair(bIa)<())33b  c.d-opairX 
(b,c))AVbl  c  d.(((SET(opair(bl,c))A3a  b.((bl-aAc«b)Aopair(b,aXf))A(SX 
ET(opair(bl,d))A3a  b.((bl«aAd«b)Aopair(b,aXf)))3c-d)):>(Yd.((SET(d)A3X 
a  1  b.(d»opair(a  1  ,b)A(opair(b,a  1  Xf  Aopair(b,a  1  XCR0$$(a2,V)))):>3b  c.d-X 
opair(b,c))AVbl  c  d.((($ET(opair(bl,c))A3al  b.((bl-alAc-b)A(opair(b,8X 

1  XfAopair(b,a  1  XCROSS(a2,V))))A(SET(opair(b  1  ,d))A3a  1  b.«b  1  -a  1  Ad-b)AX 
(opair(b,alXfAOpair(b,alXCR0SS(a2,V)))))3c-d))) 

86  Vf  a.(FNC(CONV(f))aFNC(CONV(f  |  a)))*Vf  a2,((Vd.((SET(d)A3a  b.(d-oX 
pair(a,b)Aopair(b,aXf)>?3b  c,d-opair(b,c))AYbl  c  d.{((SET(opair(b),cX 
))A3a  b.((bi»aAc-b)Aopair(b,aXf))A(SET(opair(bl,d))A3a  b.((bl»aAd«b)X 
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Aopair(b,a)<f)))=c-d))3{Vd.{(SET{d)A3al  b.(d»opair(al,b)A(opair(b,al)*>l 
<(Aopair(b,alKCR0SS<a2,V))))33b  c.d=opair(b,c))AVbl  c  d.(((SET(opairtt 
(b  1  ,c))A3a  1  b.{(b  1  -a  1  Ac-b)A(opair(b,a  1  )(f  Aopair(b,a  1  XCR0SS(a2,V))))A% 
(S£T(opair(b  1  ,d))A3a  1  b.((b  1  -a  1  Ad«bMopair(b,a  1  )<f  Aopair(b,a  1 XCROSSK 
(a2,V)))))3c-d))) 

87  Vf  a.(FNC(CONV{f))=FNC(CONV(f  |  a))) 

***** 


.3.4.  Domain  and  range  of  an  one-to-one  function. 


The  next  lemma  states  that  the  domain  and  the  range  of  a  one-to-one  function  are 
ongruent.  It  is  proved  by  a  single  call  to  LOGIC,  whereas  the  old  proof  was  in  eight 
ommands. 


*****GOAl  Vf.(FNC(CONV(f))=>CONG(DOM(f),RNG(f)))  SASSUME  CONG; 

Goal  #4:  Vf.(FNC(CONV(f))=>CONG(DOM(f),RNG(f))) 

*****TRY  USING  LOGIC; 

Goal  *4*1:  Vfl.(FNC(C0NV(fl))33f.(FNC{f)A(FNC(C0NV(f))A(D0M{f)«D0M(fK 
1  )ARNG(f  )«RNG(f  1 ))))) 

Goal  *4*1*1:  Vfl.(FNC(C0NV(fl))o3f.(FNC(C0NV(f))A(00M(f)-D0M(fl)ARNG1£ 
(f)-RNG(fl)))) 

88  Vfl.(FNC(C0NV(fl))o3f.(FNC(C0NV{f»A(D0M{f)-D0M(fl)ARNG(f)-RNG{fl)X 

))) 

89  Vf  I  .(FNC(CONV(f  1  ))o3f.(FNC(f)A(FNC(C0NV(f  ))A(D0M(f)-D0M(f  1  )aRNG<W 
-RNG(f  1  )))))«Vf  l.(FNC(CONV(f  1  ))o3f.(FNC(C0NV(f  ))A<DOM(f  )-DOM(f  1  )aRNG<X 
f)-RNG(fl)))) 

90  Vfl.(FNC(C0NV(fl))o3f.(FNC<f)A(FNC(C0NV(f))A(CX)M(f)-D0M<fi)ARNG(f« 
-RNGffl))))) 

91  Vf.(FNC(CONV(f))3CONG(DOM{f),RNG(f)))*Vfl.{FNC(CONV{fl))33f.{FNC(fX 
)A(FNC(CONV{f  ))A(D0M«)-D0M(f  1  )aRNG(I  )-RNG(f  1 ))))) 

92  Vf.(FNC(CONV(f))3CONG<DOM(f),RNG(f))) 

LOGIC  SUCCEEDED! 

***** 


Next  we  show  the  FOL  proof  generated  by  LOGIC  for  the  above  lemma. 
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*****$HOW  PROOF  88:; 

*****  MONADIC  i 

88  Vf  1  .(FNC(CONV<f  1  ))o3f .<FNC<C0NV(f ))A(DOM(f  )-DOW(f  1  )ARNG(f)-RNG(f  1 )% 

))) 

*****SIMPLIFY  Vfl.(FNC(C0NV(fl))=3f.(FNC(f)A(FNC(C0NV(f))A(D0M(f)-D0M^ 
(fl)ARNG(f)-RNG(fl ))))); 

89  Vfl.(FNC(C0NV(fl))33f.(FNC«)A(FNC(C0NV(f))A(D0M(f)-D0M<fl)ARNG(f« 
-RNG(f  1  )))))«Vfl.(FNC(CONV(f  1  ))=>3f.(FNC(C0NV(f)WD0M<f)-D0M<f  1  )aRNG« 
f)-RNG(f  1)))) 

*****TAllT  Vfl.(FNC(CONV(fl))=3f.(FNC(f)A(FNC(CONV(f))A(DOM(f)-DOM(fl)X 
ARNG(f  )-RNG((  1 )))))  88,89; 

90  Vf  1  .(FNC(C0NVvf  1  ))=3f.(FNC(f)A{FNC(C0NV(f))A(D0M(f)-D0M(f  1  >aRNG« )X 
-RNG<fl))») 

♦****REWRITE  Vf.(FNC(CONV(f))=>CONG(DOM(f),RNG(f)))  BY  CONG  LOGICTREK 
E  COMPTREE; 

9 1  V  f .{ FNC(CONV(  f  ))sCONG(OOM(  f  ),RNG(f)))*Vf  1  .(FNC(CONV(f  1  »=>3f.(FNC(fX 
)A(FNC(CONV(f  ))A(D0M(f  )-DOM{f  1  )ARNG(f)-RNG(f  1 ))))) 

*****TAUT  Vf.(FNC(CONV(f)bCONG(DOM{f),RNG(f)))  90,91; 

92  Vf.(FNC(CONV<f))=CONG<DOM{f),RNG(f))) 

***** 


8.3.6.  Range  of  the  restriction. 


The  last  of  these  lemmas  states  that  range  of  the  restriction  of  a  function  is  a  subset  of 
the  range  of  that  function.  The  old  proof  was  in  23  steps,  while  the  new  one  takes  three 
steps:  two  FOL  commands  followed  by  a  call  to  LOGIC. 


*****G0AL  Vf  a.RNG(f  |  a)cRNG(f); 

Goal  *5:  Vf  a.RNGff  |  a)cRNG(f) 

*«***VE  RNG  f  |  a; 

93  FNC(f  |  a)oRNG(f  |  a)-{c|3al.opair(al,ck(f  |  a)} 
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♦♦♦♦♦REWRITE  T  BY  {L41}uL0GICTREE; 

2  substitutions  were  made 

94  RNG((  |  a)«{c|3al.opair(al,cX(f  I  a)} 

♦♦♦♦♦TRY  USING  LOGIC  PLUS  SUBSET  RNG  T  RESTR  SET  AUX25; 

Goal  *5*1:  Vf  a2  c.«3b.c<bA3al.(opair{al,c)<fAopair(al,c)(CR0SS(a2,% 

V)))o(3b.c<bA3a.opair(a,c)<f)) 

95  Vf  a2  c.((3b.c(bA3al.(opair(al,cKfAOpair{al,c)<CR0SS(a2,V))>3{3b.« 
c<bA3a.opair(a,cXf)) 

96  Vf  a.RNG(f  |  a)cRNG(f)*Vf  a2  c.((3b.c(bA3al.(opair(al,cXfAopair(a* 
l,cXCROSS(a2,V)))3(3b.c<bA3a.opair(a,c}«)) 

97  Vf  a.RNG(f  |  a)cRNGff) 

LOGIC  SUCCEEDED! 

♦♦♦♦♦ 

8.4.  The  GOAL  proof  of  Ramsey's  theorem. 

We  started  the  proof  from  scratch.  To  the  axioms  listed  In  the  previous  sections,  we 
added  the  last  five  lemmas  as  axioms,  as  follows.  The  names  L41,  L96,  etc.,  refer  to  the  line 
numbers  these  lemmas  had  in  the  old  proof. 

♦♦♦♦♦DECLARE  INDVAR  a2  b2  c2  d2  e2; 

♦♦♦♦♦AXIOM  L41:Vf  a.FNC(f  |  a);; 

L41:  Vf  a.FNC(f  |  a) 

♦♦♦♦♦AXIOM  L95:Vf  a.(acDOM(f)=DOM(f  |  a)«a);; 

L95:  Vf  a.(acD0M(f)3D0M{f  |  a)-a) 

♦♦♦♦♦AXIOM  L153:Vf  a.(FNC(C0NV(f))3FNC(C0NV(f  |  a)});; 

LI 53:  Vf  a.(FNC(CONV(f))oFNC(CONV(f  |  a))) 

♦♦♦♦♦AXIOM  L161:Vf.(FNC(C0NV{<))3C0NG(D0M(f),RNG(f)));; 

LI 61:  Vf.(FNCfC0NV(f))3C0NG(D0M(f),RNG(f))) 
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*****AXIOM  L184:Vf  a.RNG(f  |a)cRNG(f);; 

LI 84:  Vf  a.RNG(f  |  a)cRNG(f) 

***** 

The  complete  proof  using  GOAL  follows.  After  the  proof,  we  conclude  with  some  statistics 
about  It. 

*****GOAL  VG  R  B.(  DENUM(G)  a  EDGESET(G)  -  RuB  a  RnB  -  X 

s  3a.(acGADENUM(a)A(EDGESET(a)cBvEDGESET{a)cR)))i 

Goal  el:  VG  R  B.<(DENUWG)A(EDGESET(GWRuBMRnB)-X»:>3a.(acGA(DENUX 
M(a)A(EDGESET(a)cBvEOGESET{a>cR»)) 

*****TRY  USING  Vlj 

Goal  *1*1;  (DENUM(G)A(EDGESET(GHRuB)A(RnB)-X))33a.(acGA(DENUM(8)A(X 
EDGESEKa)cBvEDGESET(a)cR))) 

*****TRY  USING  si; 

Goal  *1*1*1:  3a.(acGA(DENUM{a)A(EDGESET{a)cBvEDGESET(a)cR))) 

*****PREPAREj 

1  DENUM(G)A(EDGESET(G)-(RuB)A{RnB)-X)  (1) 

2(RnB)-X  (1) 

3  EDGESEKG)-(RuB)  (1) 

4  DENUM(G)  (1) 

*****LABEL  DENUMG  T> 

*****LABEL  NOTRB; 

*****REWRITE  2  BY  {KEXT  AUX25  EMPTYJuLOGICTREEuCOMPTREE; 

8  substitutions  were  made 

5  Vc.-(c<Rac<8)  (1) 

*****LABEL  EGETRB; 

*****REWRITE  3  8Y  {KEXT  AUX6}j 

2  substitutions  were  made 
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6  Vc.(c<  EDGE$ET(G)«(c<  Rvc<  B»  (1) 

*****LABEL  EDGERB  t; 

*****LABEL  EDGER; 

****»MONADlC  Vc.(c<R=>T:*l#l)  t; 

7  Vc.(c< R^c< EOGESEKG))  (1) 

*****LABEL  EDGEB; 

*****MONADIC  Vc.(c(R=TT:«1«1)  TT; 

8  Vc.(c<  R»c<  EDGESET (G))  (1) 

**m*LABEL  SETGj 
*****RESOLVE  DENUMG  AUX1; 

RESOLVE  DENUM(a)3SET(a) ,  DENUM(G)  -♦-*  SET(G) 

9  SET(G)  (1) 

**«*LABEL  NONOG; 

*****RESOLVE  DENUMG  AUX3; 

RESOLVE  DENUM(a)3-(a-X) ,  DENUM(G)  XG-X) 

10  -(G-X)  (1) 

*«***VE  CHOICE  G; 

1 1  $ET(G):>3<.Va.<(acGMa-X))3(fMaXa) 

****»TAUT  T:*2  SETG  T; 

12  3LVa.f'acGA-(a-X))3<raKa)  (1) 

***«*LA8EL  CHOOSEP; 

**«**ES  T  p; 

13  Vs.«scG/Wa-X))3<p’,aXa>  (13) 

****«VE  INDUCTDEF  G  {b]3c  d.(b-opair(c,d)AceGA<s-X) 

*  a  d— IF  OENUM({b(b<cApair(p"c,bXR)) 

*  THEN  {b|b<cAPair(p“c,b)<R) 

*  ELSE  (b|b<cApair(p"c,bXB))}; 

14  SET(G)3<UNiVERSAL({b|3c  d.(b-opair(c,d)A(ccGAMc«X)Ad-lF  DENUM({bX 
|b<cApair(p*c,bXR})  THEN  {b|b<cApair(p’c,bXR}  ELSE  {b|b(CApair(p"c,X 
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bHB})))})33c.Vb.{c-b«{FNC(b)A(00M(b)-omegaA((b"X)-GAVi.(b"SUC(i))-({X 
b|3c  d.{b-opair(c,d)A(ccGA(-^c»X)Ad-IF  DENUM({b|b<cApair(p*c,bXR})  TX 
HEN  {b|b<cAp«ir{p-c,bXR}  ELSE  {b|b<cApair(p“c,bXB}»)}H(b“i)))))))  X 

***»*EVAL  t| 

15  SET<G)33c.Vb.(c-b«(FNC(b)A(DOW(b)-omegaA((b“X)-GAVi.(bHSUC(i))-({bX 
|3c  d.(b-opair(c,d)A(ccGA(-Kc«X)Ad-IF  DENUM({b|b<cApair(p”c,bXR})  THX 
EN  {b|b<cApair(p"c,bXR}  ELSE  {b|b<cApair<p"c,bXB}»>}"(b,,i»»» 

#****REWRIT£  T  BY  {SETG}uLOGICTREE; 

2  substitutions  were  made 

1 6  3c.Vb.(c-b«(FNC{b)A(DOM{b)-omegaA((b"X)-GAVi.{b"SUC(i)M{b|3c  d.(X 
b-opair(c,d)A(ccGAHe-X)Ad-IF  DENUM({b|b<cApair(p*clbXR})  THEN  {b|bX 
<cApair(p"c,bXR}  ELSE  {b|b<cApair(p"c)bXB})))}"(b‘,i))»))  (1) 

***«ES  T  ee; 

1 7  Vb.(ee-b«<FNC(b)A(DOM(b)-omegaA«b"X)-GAVi.(b"SUC(i)H{b|3c  d.(b«X 
opair(c,d)A(ccGA(-<c-X)Ad-IF  DENUM<{b|b<eApair(p"c,bXR})  THEN  {b|btcX 
Apairfp'c.bXR}  ELSE  {b|b<cApair{p“c.bXB})})}"(b"i)»)))  (17) 

***»*VE  T  ee; 

18ee-ee«(FNC(ee)A(D0M(ee)-omegaA((ee*X)-GAVi.(ee"SUC(i)M{b|3c  d.(bX 
-opair(c,d)A(ccGA(-(c-X)Ad-IF  DENUM({b|b<cApair(p"c,bXR})  THEN  {b|b<X 
cApair(p-c,bXR}  ELSE  {b|b<cApair(p"c,b)<B})))},,(ee,,i»»)  (17) 

*****LABEL  IFUNG; 

*«**REWRITE  T  BY  LOGICTREEj 

2  substitutions  were  made 

19  FNC(ee)A(DOM(ee)-omegaA((ee"X)»GAVi.(ee"SUC(i))-({b|3c  d.(b»opair(X 
c,d)A(ccGAHc«X)Ad«IF  DENUM({b|b(CApair(p"c,b)(R})  THEN  {b|b<cApair(X 
p"c.bXR}  ELSE  {b|b<cApair(p"c.bXB})))}"(ee-i))))  (17) 

*****GOAL  T:#2*2*2  ASSUME  Tj 

Goal  «2:  Vi.(ee"SUC(i))-({b|3c  d.(b-opair(c,d)A(ccGA(-(c-X)Ad-IF  DENX 
UM({b|b(cApair(p*c,bXR})  THEN  {b|b<CApair(p"c,bXR}  ELSE  {b|b<CApairX 
(p"c,bXB})))}"(ee"i)) 

*****PREPAREj 

20  Vi.(ee"SUC(i))-({b|3c  d.(b-opair(c,d>A(ccGA(-(c-X)Ad-IF  DENUM({b|bX 
<cApair(p"c,bXR})  THEN  {b|b<cApair(p"c,b)<R}  ELSE  {b|b<cApair(p"c,b)X 
<B})))}"(ee"i))  (17) 

21  (ee"X)-G  (17) 

22  OOM(ee)-omega  (17) 


.'■PI 
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23  FNC(ee)  (17) 


•♦♦•♦QEO  TTTTj 
♦♦♦••LABEL  EEDEF  TTTt; 

♦♦♦♦♦LABEL  EEO  ttt; 

♦♦♦♦•LABEL  DOMEE  TT; 

♦♦♦♦♦LABEL  FUNEE  T; 

♦•♦♦♦GOAL  DENUM({K|DENUM({b|b((ee"k)Apair(p*(ee"K)lb)<R})}) 

*  v  OENUM({khDENUM({b|b<(ee"k)Apair(p-(ee“k).bKR})})  i 

^i,,!?:,<PENUI^{k|DENUM<{b|b<(ee"k)Apair(p"<e8"K)-b^R}>})vDEN^{^ 

-•OENUM({b|b<(ee  k)Apair(p"(ee"k),bHR})}) 

*»***VE  AUXIO  {k|DENUM({b|b<(ee,'k)Apair(p"(ee,'k))b)<R})} 

*  {k|-'DENUM({b|bc(ee"k)Apair(p"(ee"k),b}<R})}i 

24  UNIVERSAL({k)DENUM({b|b((ee"k)Apair(p“(ee"k)1bXR})})=(UNIVERSAL(()( 
khOENUM({b|b<(ee“k)Apair(p"(ee"k),b)<R})})D(OENUM({k|DENUM({b|b<{es*X 
k)Apair(p  (ee”k),bXR})}u{k|->DENUM({b|b<(ee"k)Apair(p"(ee"k),bXR})})K 
3(DENUM({k|DENuM({b|b<(ee"k)Apair(p*(ee*k)IbXR)>})vD£NUM({k|-DENUM(f« 
b|b<(ee  k)Apair(p"(ee“k),bXR})})))> 

•****EVAL  t| 

25  OENUM({k|DENUM({b|b<(ee"k)Apair(p"(ee"k)1bXR})}u{k|'DENUM{{b|b<(sX 
e  k)Apair(p“(ee"k)(bXR})})3(DENUM({k|DENUM({b|b((ee"k)Apair(p"(es"k)X 
,bKRj)})vD£NUM({k|->OENUM({b|b<(ee"k)Apair(p"(ee"k)>b)(R})})) 

♦♦•♦♦GOAL  omega  -  {k|DENUW({b|b((eeMk)Apair(p"(ee"k),bXR})} 

*  u  {k|-DENUM({b|b((ee"k)Apair(p"(ee"k>,bXR})}i 

*4:  0mega"({k|DENUM({b|b<{ee"k)Apair(p"(ee"k))bXR})}u{k|>«DENUM5( 

( {b|b<  (ee"k)Apair(p"(ee"k),bXR})}) 

•♦♦♦♦SIMPLIFY  SETflfc 

26  SET(i) 

♦•••♦LABEL  NATSET; 

•♦♦♦♦VI  t  i*-g; 

27  Va.(NATNUM(a)3SET(a)> 

*****TRY  USING  REWRITE  BY  {KEXT  AUX6  omega}: 

Goal  «4el:  Vc.((SET(c)ANATNUM(c))«((NATNUM(c)ADENUM({b|b((ee"c)ApairX 
(p  (ee  c),bXR}))v<NATNUM(c)A'DENUM({b|b((ee"c)Apair{p"(#e"c),bXR})))) 


*.*,*■ 
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***#*TRY  USING  MONADIC  NA7SET; 

28  Vc.((SET(c)ANATNUM(c))i({NATNUM{c)ADENUM{{btb<(ee"e)Apair(p"(ee,,c)X 
,bKR}»v(NATNUM(c>A-DENUM{{b|b<{ee"c)Apair{p“(ee"c)1bKR})))) 

29  omega*({k|DENUM({b|bc(ee"k)Apair(p"(ee"k),b)<R})}Ui,k|-DENUM({b|b<(¥ 
ee"k)Apair(p"(ee"k)^KR})})*Vc.((SET(c)ANATNUM(c))*{(NATNUM(c)ADENUM« 
({b|b«ee"c)Apair(p*(ee"c),b)<R})MNATNUM{c>A-DENUM({blb«(ee"c)ApairX 

(p"(ee"c),bHR}))» 

30  omega-({k|D£NUM({b|b<{eeBk)Apair{pB(eeBk),b)<R})}u{k|-«DENUM({b|b<(K 
ee"k)Apair(p"(ee"k),b)<R})}) 


*****TRY  #3  USING  MONADIC  T.TTttTt  AUX30i 

31  DENUM({k|DENUM({b|bc(ee"k)Apair(p"{ee"k),bKR})})vDENUM({khDENUM(X 
{b|b<(ee"k)Apair(p"(ee"k),b)(R})}) 


«t***TRY  #1#1«1  USING  EG  RNG({b|3k.b-opair(k,pB(ee“k))}  J 
a  IF  DENUM({k|DENUM{{b|b<(eeBk)Apair{p“(eeBk),b)(R})}) 

*  THEN  {k|DENUM({b|bC(eeMk)Apair(pB(ee"k),bKR})} 

*  ELSE  {k|iDENUM({b|b((ee*k)Apair(p"(eeBk),bKR})}) ; 

Goal  el  el  el  el:  RNG({b|3k.b«opair(k,pB<eeBk))}  |  IF  DENUM({k|DENUM{{bX 
|b<(ee"k)Apair(p"(ee"k),bKR})}}  THEN  {k|DENUM<{b|b«eeBk)Apair(pB(eeX 
”k),b)<R})}  ELSE  {k|-DENUM({b|b<{eeBk)Apair(pB(eeBk),b)<R})})cGA(DENUK 
M<RNG({b|3k.b-opair(k,p*(ee"k))}  |  IF  DENUM({k|DENUM({b|bc(eeBk)ApairX 
(pB(ee“k),b)(R})})  THEN  {k|DENUM({b|b<(eenk)Apair(p"<ee"k),bXR})}  ELK 
SE  {khDENUM<{b|b<(ee”k)Apair(pB<ee"k),b)<R})}))A(EDGESET<RNG({b|3k.bX 
-opair(k.pB(eeBk))}  |  IF  DENUM({k|DENUM{{b|bc(eeBk>Apair(pB(eeBk),b)<K 
R})}>  THEN  {k|DENUM({b|b«eeBk)Apair(p"(eeBk),bXR})}  ELSE  {k|-DENUM(K 
{b|b<(eeBk)Apair(pB(eeBk)1b)(R})}))cBvEDGESET(RNG{{b|3k.b-op8ir(klpB(K 
eeBk))}  |  IF  DENUM({k|DENUM{{b|b«eeBk)Apair(pB{eeBk),b)(R})})  THEN  {K 
k|DENUM[b|b«eeBk)Apair(pB(e8Bk),b)<R})}  ELSE  {k|-DENUM({b|b<(eeBk)AK 
pair(pB(eeBk),bXR}>}))cR)) 

*****GOAL  FNC({b|3k.b-opair(k,pH(ee”k))})i 

Goal  *5:  FNC({b|3k.b-opair(k,pB(eeBk))}) 

*****TRY  USING  REWRITE  BY  {FNC  REL  AUX27}; 

Goal  «5el:  Vd.((SET(d)A3k.d»opair(Klp"(eeBk)))=3b  c.d-opair(b,c))AVbK 
c  d.(((SET(opair(b,c))A3Mb-kAc-(pB(eeBk))))A{SET(opair(b,d))A3k.(bK 
-kAd-(p"(ee"k)))))ac«d) 

*****TRY  USING  ELIMINATION  DEPTH  2; 

Goal  *5«1*1:  Vd.(($ET(d)A3k.d-opair(k,pB{eeBk)))33b  c.d«opair(b,c)) 

Goal  *5«1«2:  Vb  c  d.«(SET(opair(b,c))A3Mb-kAc-(pB<eeBk))))A(SET(oK 
pair(b,d))A3k.(b-kAd“(pB(ee"k)))))=>c»d) 

Goal  e5elelel:  (SET(d)A3k.d-opair(k,p"(eeBk)))33b  c.d»opair(b,c) 
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Goal  «5«1«2»1:  (($ET(opair<b,c))A3k.<b-kAc-(p"(ee,’k))>)A(SET<opair(bX 
,d))A3k.(b«KAd-(p"(ee"K))))>oc-d 

•••••TRY  e5elelsl  USING  LOGIC; 


32  (SET(d)A3k.d-opair(klp"(ee"k)»33b  c.d-opair(b,c) 

33  Vd.((SET(d)A3k.d-opair(k,p“(ee"k)))33b  c.d»opair(b,c)> 

Goal  e5«le2elel:  c-d 

34  (SET(opair(b,c))A3k.(b-kAc-(p"(ee"k»»A(SET{opair(b1d))A3k.{b-kAdX 
-<p"<ee"k))))  (34) 

35  3k.(b-kAd-{p"(ee"k)))  (34) 

36  SET(opair(b,d))  (34) 

37  3k.(b-kAc-(p"(ee"k)»  (34) 

38  SET(opair(b,c))  (34) 

We  have  a  failqueue  of  length:  1 

Starting  a  new  2-th  pass  on  new  queue  of  length:  1 

We  have  a  failqueue  of  length:  1 

Failure:  can’t  prove  anything  on  failqueue. 

The  tactic  LOGIC  can’t  be  applied  to  goal 

Goal  Provea  32  (SET(d)A3k.d-opair(k,p“(ee"k)))=3b  c.d* 

-opair(b.c) 

•****ES  TTTt  k; 

39  b-kAd-(p”(ee*,k))  (39) 

•****E$  TTT  jj 

40  b-jAc-(p"(ee"j))  (40) 

•••••TAUTEQ  k-j  tf:; 

41  k-j  (39  40) 

•••••REWRITE  TTT  BY  {T}; 

2  substitutions  were  made 

42  b-jAd-(p"(ee"j))  (34  40) 

•••••TRY  USING  TAUTEQ  TTT.T; 
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44  ((SET(op»ir(b,c))A3k.(b-kAc-(p"(ee"K))))A(SET{opair(b,d»A3k.(b-KAX 
d-<p"(ee*K)))))3c-d 

45  Vb  c  d.«(SET(opair(b,c»A3Mb“KAc«(p"(ee"K»)>A(SET(opair(b,d»AX 
3K.(b-kAd-(p"(ee'K)))))3c-d) 

46  Vd.((SET{d)A3K.d-opair(K,p"(ee"K)))=3b  c.d-opair(b,c))AVb  c  d.((($* 

ET(opair(b,c))A3k.(b-KAc-(p"(ee"K)))>A(SET(opair(b,d))A3k.(b-kAd-{p"(< 

ee"k)))))Dc-d) 

47  FNC({b|3k.b-opair(k,p“(ee"k))})*{Vd.((SET(d)A3k.d-opair(k,p*(ee"k)% 
))o3b  c.d-opair(b,c))AVb  c  d.{({SET(opair(b,c))A3k.(b-kAc-(p"(ee"k)))X 
)A(SET(opair(b,d))A3k.(b-kAd»(p"(ee"k)))))3c-d)) 

48  FNC({b|3k.b-opair(k,p-(ee-k))}) 


*****label  FUNCC  tj 

***a*VE  AUX10  {b|b(CApair(a,bKR}  {b|b<CApair(a,bKB}; 

49  UNIVERSAL({b|b<cApair(a,bXR})3(UNlVER$AL({b|b<cApair(a,bXB})o(DE* 
NUM({b|b<cApair(a,bXR}u{b|b<cApair(a,bXB})3(OENUM({b|b<cApair(albX* 
R})vDENUM({b|b<cApair(a,bXB}»)> 

*»***EVAL  Tj 

50  DENUW{b|b<cApair(a,bXR}u{b|b<cApair(aIb)<B})3(DENUM({b|b<cApair(X 
a.bX  R})vDENUM{{b|b(cApair(a1b)(B})) 

*****GOAL  Vc  a.(ccGAa<c3t:»l*l-c\singl(a)); 

Goal  «6:  Vc  a.((ccGAa<cM{b|b<cApair{a,bKRju{b|b<cApair(a,bXBJHX 
c  \  singl(a))) 

*****TRY  USING  REWRITE  BY  {KEXT  SUBSET  AUX6}; 

Goal  e6el:  Vcl  a.((Vc.(c<cl:>c<G)Aa<cl)3Vc.((($ET(c}A{c(clApair(a,cX% 
R))v(SET(c)A(c<clApair(a,cKB)))«c<(cI  \  singl(a)))) 

*****TRY  USING  REWRITE  BY  {DIFF  COMPL  AUX25  UNIT  V}; 

Goal  e6«lei:  Vcl  a.«Vc.(c<c  1 3c<G)Aa<c  1  )= Vc.«(SET(c)a(c<c  1  Apeir<a,cX 
KR)MSET(c)A(c<clApair(a,c)<B)))«{c<clA(SET(c)A-<SET(c)A(SET(a)Ac-aX 
)))))) 

*****TRY  USING  ELIMINATION  DEPTH  3; 

Goal  «6«1  «1  #1 :  (Vc.(c«c  1  oc<G)Aa(c  1  )=>Vc.(((SET(c)a(c(c  1  Apair(a,cXR))5f 
v(SET(c)A(c<clApair(a,cXB)»*(c<clA(SET(c)A-<SET(c)A(SET(a)Ac-a))))) 

Goal  «6alel«l»l:  Ve.fUSETfcMccclApair^cXRJMSETteWdclApairX 
(a,cXB)))»{c<clA(SET(c>A'<SET{c)A(SET(a>Ac«a»))) 

51  Vc.(c<cl=>c<G)Aa<cl  (51) 
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52a(cl  (51) 

53  Vc.(c<clac<G)  (51) 

Goal  *6«1«1*1*1*1:  ((SEKcMctclApairUcXRMSETteM^clApairUX 
,c  X  B)))a(c<c  1  A(SET(c)A-(S£T(c)A{S£T(a)Ac»a)))) 

«***VE  AUX12  a  c  G; 

54  pair(a,eXEDGESET(G)s(a<GA(c<GA-<a-c))) 

*****REWRITE  t  BY  {3  AUX6}; 

2  substitutions  were  made 

55  (pair(a,c)cRvpair(a,cXB)*(a<GA(c<GA-(a«c)))  (1) 

*»***TRY  USING  MONADIC  TTTT.TTT.T; 

56  ((SET(c)A(c<clAPair(a,cXR))v(SET(c)A(c<clApair(a,c)cB)))*{c<clA(S,-( 
ET(c)A-(SET(c)A(SET(a)Ac-a))))  (1  51) 

57  Vc.(((SET(c)A(c<clApair(a,c)<R)M$ET(c)A<c<clApair(a,cXB)))*(c<cK 
lA(SET(c)A-KSET(c)A(SET(a)Ac-a)))))  (1  51) 

58  (Vc.{c<cl3c(G)Aa(cl)3Vc.(((SET(c)A(c<clApair(a,c)<R))v(SET(c)A(c<c)£ 

1  Apair(a,cX 8)))«(c<c  1  A(SET(c)AXSET(c)A(SET(a)AC-a)))))  ( 1 ) 

59  Vd  a.((Vc.(c<cl3c<G)Aa(cl)3Vc.(((SET(c)A(c«clApair(alc)<R))v(SET(X 
c)a(c<c  1  APair(a.cXB)))«(c(c  1  A(SET(c)A-(SET(c)A(SET(a>Ac-a))))))  ( 1 ) 

60  Vcl  a.((Vc.(c<cl3c<G)Aa(cl)oVc.(((SET(c)A(c<clApair{a,c)(R)MSET0( 
c)A(c<clApair(a,cXB)))*c<(cl  \  singl(a))))*Vd  a.((Vc.(c<cl3c«G)Aa<cX 
l)3Vc.(((SET(c)A(c<clApair(a1cXR))v(SET(c)A(c<clApair(a,cXB)))»{c<cX 

1  A(SET(c)A^SET(c)A(SET(a)Ac-a)))))) 

6 1  Vc  1  a.((Vc.(c<c  1  sc<G)Aa<c  1  X>Vc.(((SET(c)a(c<c  1  Apair(a,c)<R»v(SET(X 
c)A(c<clApair(a,cKB)))«c<(cl  \  singl(a))))  (1) 

62  Vc  a.((ccGAa<c)3({b|bCcApair(a,b)<R)u{b|b<cApair(a,bXB})-(c  \  sinX 
gl(a)))»Vc  1  a.((Vc.(c<c  1  =>c<G)Aa<c  1  )oVc.(«SET(c)A(c<clApair(a,cXR))v5( 
(SET(c)A(c<clApair(a,cXB)))«c<(cl  \  singl(a)))) 

63  Vc  a.((ccGAa<c)3({b|b<cApair(a,b)<R}u{b|b<cApair(a,bXB})-(c  \  sinX 
gl(a)))  (1) 


*****G0Al  Vc  a.(ccGADENUM(c)Aa<c=>50:#2); 

Goal  «7:  Vc  a.((ccGA(DENUM(c)Aa<c))3(DENUM{{b|b<cApair(a,bXR})vDENUX 
M({b|b(cApair(a,bXB}))) 


*****TRY  USING  ELIMINATION; 


Appendix  2i  Ramsey's  Theorem. 


Goal  «7«1:  (ccGA(DENUM(c)Aa<c))o(DENUM({blb<cApair(a,bXR})vDENUM({bX 
|b<cApair(a,bXB})) 

Goal  «7eUl:  DENUM({b|b<cApair(a,bXR})vDENUM({b|b<CApair(a,bXB}) 
*****TRY  USING  IMPLICATION  50; 

64  ccGA(DENUM(c)Aa(c)  (64) 

65  a<c  (64) 

66  DENUM(c)  (64) 

67  ccG  (64) 

Goal  «*7»1»1»1:  DENUM({b|b<CApair(a,bXR}u{b|b<CApair(a,bXB}) 

»*«**VE  63  c  a; 

68  (ccGAa<c)3({b|b<CApair(a,bKR}u{b|b<CApair(a,b)<B})-(c  \  singl(a))  (1) 

*****TAUT  Ts*2  64  t; 

69  ({b|b<cApair(a,b)<R}u{b|b(cApair(alb)(B})-(c  \  singl(a))  (1  64) 
•♦♦♦•RESOLVE  66  AUX9; 

RESOLVE  DENUM(a)aDENUM(a  \  singl(b)) ,  DENUM(c)  -♦-*  Vb.DENUM(c  \  singl(b)) 

70  Vb.DENUM(c  \  singl(b))  (64) 

•••••TRY  USING  REWRITE  BY  {TT,T}j 

71  DENUM({b|b<cApair(a,b)<R}u{b|b<cApair(a,b)<B})  (1  64) 

RESOLVE  DENUM({b|b<cApair(aIb)<R{u{b|bccApair(a,bKB})3(DENUM({b|b<cAX 
pair(a,b)<R})vDENUM({b|b<cApair(a,b)<B})) ,  DENUM({b|b<CApair(a,bXR}% 
u{b|b<cApair(a,b)<B})  -*-*  DENUM({b|b<cApair(a,b)<R})vDENUM({b|b<cApairX 
(a,bXB}) 

72  DENUM({b|b<cApair(a,b)<R})vDENUM({b|b<CApair(apb)<B})  (1  64) 

73  (ccGA(DENUM(c)Aa(c))3(DENUM({b|b<cApair(a>b)<R})vDENUM({b|b<eApair% 
(a,bXB}))  (1) 

74  Vc  a.((ccGA(DENUM(c)Aa<e))o(DENUM({b!bCcApair(a,bXR})vDENUM{{b|b<X 
CApair(a,b)<B})))  (1) 

•••••GOAL  Vi.(ee"icGADENUM(ee"i)); 

Goal  «8:  Yi.«ee"i)cGADENUM<ee"i)) 

•••••TRY  USING  INDUCTION; 


Appendix  2s  Ramsey's  Theorem. 


Goal  *8»1:  (ee"X)cGADENUM(ee"X) 

Goal  *8*2:  Vt.(((ee"i)cGADENUM(ee"i))3{(ee"SUC(i))cGADENUM(ee"SUC(i)))) 
*****TRY  1  USING  REWRITE  BY  {SUBSET  EEO  DENUMG}; 

75  (ee"X)cGADENUM{ee,,X)  (1  17) 


*****TRY  USING  ELIMINATION; 

76  DENUM(ee’*X)  (1  17) 

77(ee"X)cG  (1  17) 

Goal  *8*2*1:  ((ee"i)cGADENUM<ee,,i))3((ee"SUC{i))cGADENUM(ee,,SUC(i))) 
Goal  *8*2*1 *1;  (ee"SUC(i))cGADENUM(ee"SUC(i)) 

78  (ee*i)cGADENUM(ee"i)  (78) 

79  DENUM(ee"i)  (78) 

80  (ee"i)cG  (78) 

Goal  *8#2*1#1«1:  (ee”SUC(i))cG 
Goal  *8*2*1 *1*2:  DENUM(ee"SUC(i)) 

****«VE  APPLY  EEDEF:*1*2*1  ee"i; 

81  UNIVERSAL({b|3c  d.(b-opair(c,d)A(ccGAHc«X)Ad-IF  DENUM({b|b(cApaiK 
r(p"c,b)<R})  THEN  {b|b<cApair(p"c,b)<R}  ELSE  {b|b<cApair(pnc1b)<B})>« 
})=>((3d.Vc.(d»ciopair(ee-i,c)<{b|3c  d.(b-opair(c,d)A(ccGA(-<(c«X)Ad«*IF5( 
DENUM({b|b<cApair(p"c,b)<R})  THEN  {b|b(cApair(p,,c,b)<R}  ELSE  {b|b(CA* 

pair(p"c,bKB})))j)oopair(ee"i,{bPc  d.^opairfc.dWccGAWc-XjAd-IX 
F  DENUM({b|b<CApair(p"c,bKR})  THEN  {b|b<cApair(p"c,bXR}  ELSE  {b|b<c% 
Apair(p”c,b)<8))))}"(ee"i)K{b|3c  d.(b*=opair(c,d)A(ccGA<-(c«X)Ad=IF  DX 
ENUM({b|b<CApair(p"c,b)<R})  THEN  {b|b(cApair(p"c,bXR}  ELSE  {bib<CApa'X 
ir(p"c,b)<B})))})A(-'3d.Vc.(d'=csopair(ee"i,c)({b|3c  d.(b*=opair(c,d)A(c% 
cGA(-(c-X)Ad-IF  DENUM({b|b(cApair(p“c,b)<R})  THEN  {b|b<CApair(p"c,b)<X 
R}  ELSE  {b|b(cApair(p"c,b)<B})))})o({b|3c  dXb-opairte.dWccGAMc-XX 
)Ad-IF  DENUM({b|b(cApair(p"c,b)(R})  THEN  {b|b(cApair(p-c)b)<R}  ELSE  {X 
b|b<cApair(p"c,b)<B})))}"(ee"i))»X)) 

*****EVAL  T; 

82  (3d.Vc.(d«c*opair(ee"i,cK{b|3c  d.(b-opair(c,d)A(ccGAHc-X)Ad»IF  X 
DENUM({b|b<cApair(p"c,b)(R})  THEN  {b|b<cApair(pMc,bXR}  ELSE  {b|b<cApX 
air(p"c,b)<8))))})3opair(ee“i,{b|3c  d.{b«opair(c,d)A(ccGA(-'(c«X)Ad»IFX 
DENUM({b|b(cApair(p“c,b)<R})  THEN  {b|b<cApair(p"c,b)cR)  ELSE  {b|b<CAX 

pair(p"c,bKB))))}"(ee"i))<{b|3c  d.(b-op3ir(c,d)A(ccGA{'(c»X)Ad»IF  D EX 
NUM({b|b<cApair(p"c,b)(R})  THEN  {b|b<cApair(p"c,b)(R}  ELSE  {blb(cApai% 
r(p"c,b)<B})))})A(-'3d.Vc.(d»c*opair(ee"i1c)({bj3c  d.(b-opair{c,d)A<ccX 
GA(-^c«X)Ad»lF  DENUM({b|b<CApair(p"c,b)(R})  THEN  {b|b(cApair(p"c,bKRK 
}  ELSE  {b|b(cApair(p"e.b)<B}»)})3<{b|3c  d.(b«opair(c,d)A(ccGAHc-X>K 
Ad-IF  DENUM({b|b(cApair(p"c,b)<R})  THEN  {b|b<cApair(p"c,b)<R}  ELSE  {bV 
|b<cApair(p"c,bXB})))}H(ee"i))«X) 
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♦****aE  t  1; 

83  3d.Vc.(d“C»opair(ee"i,cX{b|3c  d.(b»opair(c,d)A(ccGA(->(c-X)Ad-IF  DX 
ENUM<{b|b<cApair(p',c)bXR}>  THEN  {b|b<cApair(p"c,b)(R}  ELSE  {b|b<cApaX 
ir{p"c,bXB})))})=>opair{ee',i,{b)3c  d.(b“Opair(c,d)A(ccGAHc*X)Ad«IF  X 
DENUM({b|b<cApair(p"c,bXR})  THEN  {b|b<cApair(pMc,bXR}  ELSE  {b|b<cApX 
air(p"c,bXB})))},,(ee"i)K{b|3c  d.(b-opair(c,dMccGAHc«X)Ad«IF  DENX 
UM({b|b<cApair(p"c,bXR})  THEN  {b|b<cApair(p"c,b)<R}  ELSE  {b|b«cApairX 
(p"c,bXB})))} 

*****GOAL  t:«2  ASSUME  T; 

Goal  #9:  opair(ee"i,{b|3c  d.(b*opair(c,d)A(ccGA(-(c»X)Ad»IF  DENUM{{bX 
|b<cApair(p“c,bXR})  THEN  {b|b«cApair{p"c,bXR}  ELSE  {b|b<cApair(p"c,X 
bXB})))}"<ee"i)X{b|3c  d.(b-opair(c,d>A(ccGA(-<c-X)Ad-IF  DENUM({b|b<cX 
Apair(p"c,bXR})  THEN  {b|b<cApair(p”c,b)<R}  ELSE  {b|b<cApair{p"c,bXB})))} 

*****TRY  USING  IMPLICATION; 


Goal  *9«1:  3d.Vc.(d«c*opair(ee"i,cX{b|3c  d.(b-opair(c,d)A(ceGAHc-X 
X)Ad-IF  DENUM({b|b<cApair(p“c,bXR})  THEN  {b|b«cApair<pBc,bXR}  ELSE  X 
{bJb(cApair(p"c,bXB})))}> 

*****TRY  USING  EG  IF  DENUM({b|b<ee“iApair(p,'(ee"i),bXR}> 

*  THEN  {b|b<ee"iApair(p"(ee"i),b)<R} 

*  ELSE  {b|b<ee"iApair(p"(ee"i),bXB}; 


Goal  «9«1«1:  Vc.(IF  DENUM({b|b«ee"i)Apair(p"(ee"i)1bXR})  THEN  {b|bX 
<(ee"i)Apair(p''(ee"i),b)<R}  ELSE  {b|b<(ee"i)Apair(p"(ee"i),b)<B}-c*opX 
air(ee"ilcX{b|3c  d.(b-opair(c,d)A(ccGA{-'(c«X)Ad-IF  DENUM({b|b<cApairX 
<p"c,bXR})  THEN  {b|b(cApair(p,,c,b)<R}  ELSE  {b|b<cApair<p"c,bXB})»}) 

***«TRY  USING  REWRITE  BY  {AUX5  AUX27}; 

Goal  e9eleleli  Vc.(IF  OENUM({b|b<(ee"i)Apair(p"(ee"i>,bXR})  THEN  {bX 
|b<(ee“i)Apair(p"(ee"i)1bXR}  ELSE  {b|b<(ee"i)Apair(p"(ee"i),bXB}"C*X 
((SET(ee“i)ASET(c))A3c  1  d.(((ee“i)-c  1  Ac-d)A(c  1  cGaHc  1  -X)Ad-IF  DENUM<X 
{b|b<clAPair(p"cl,bXR})  THEN  {b|b€e  1  Apair(p"c l.bKR}  ELSE  {b|b<dApaX 
ir(p"cl.bXB}))))) 

*****TRY  USING  ELIMINATION  DEPTH  3; 

Goal  e9slelelel!  IF  OENUM({b|b<(ee"i)Apair(p"{ee"i),b)<R})  THEN  {b|bX 
<(ee"i)Apair(p*(ee“i),bXR}  ELSE  {b|b<(ee"i)Apair(p"(ee"i),bXB}-c«((X 
SET(ee"i)ASET(c))A3c  1  d.(((ee"i)-c  1  Ac«d)A(c  IcGaHc  1  -X)Ad-IF  DENUM({bX 
|b<clApair(p"cltbXR})  THEN  {b|b<clApair(p"d,bXR}  ELSE  {b|b<dApairX 
<p"cl,bXB}»» 

Goal  e9elelelelelt  IF  DENUM({b|b<(ee"i)Apair(p"(ee"i),bXR})  THEN  {bX 
|b<(ee"i)Apair(p*(ee"i),bXR}  ELSE  {b|b<(ee"i)Apair(p"(ee’,i),bXB}"CoX 
((SET(ee“i)ASET(c))A3c  1  d.(«ee"i)-c  1  Ac«d)A(c  IcGaHcI  -X)Ad-IF  DENUM(X 
{b|b<clAPair(p"cl,bXR})  THEN  {blbtclApaiKp^l.bXR}  ELSE  {b|b*dApaX 
ir(p-cl.bXB}))» 


ppendix  2)  Ramsey's  Theorem. 


Goal  *9*1*U1»1*2:  «SET(ee"i)ASET(c))A3cl  d.(((eeMi)-clAc-d)A(cleGAX 
Wcl-X)Ad«IF  DENUM({b|b<clApair(p“cl,bXR})  THEN  {b|b<clApair(p"cl,bX 
HR}  ELSE  {b|b<clApair(p“el,b)<B}))))3lF  DENUM({b|b<(eeui)Apair(p"(ee% 
"i),b)<R})  THEN  {b|b«ee"i)Apair(p"(ee"i)>bXR}  ELSE  {b|b<(ee"i)Apair* 
(p"(ee"i),b)<B}-c 

Goal  e9«l«l*lelelel:  ($ET<ee*i)A$ET(c))A3cl  d.(«ee"i)-clAc-d)A(clcG* 
A(-(cl-X)Ad-IF  DENUM({b|b(clApair(p"cl,bXR})  THEN  {b|b<clApair(p"cl,* 
bXR}  ELSE  {b|b<clApair(pHcl,bXB}))) 

Goal  «9«lelelele2el:  IF  DENUM({b|b<(ee"i)Apair(p"(ee"i),bXR})  THEN  X 
{b|b<(ee"i)Apair(p"(ee"i),bXR}  ELSE  {b|b<(ee"i)Apair(p"{ee“i),bXB}-c 

*****PREPAREj 

84  (SET(ee"i)ASET(c))A3cl  d.(((ee"i)«c  1  Ac-dWc  IcGaHc  1  -X)Ad-IF  DENUK 
M({b|b<clAPair(p"cl,bXR})  THEN  {b|b<clApair(p"cl,bXR}  ELSE  {b|b<clA* 
pair(p“cl,bXB})))  (84) 

85  3cl  d.(((ee"i)-clAc-d)A(clcGAHd-X)Ad-IF  DENUM({b|b<clApair(p"clX 
,bXR})  THEN  {b|b<c  1  Apair(p"c  1  ,bXR}  ELSE  {b|b<dApair(p"d,bXB})»  (84) 

86  SET(c)  (84) 

87  SET(ee"i)  (84) 

***«ES  TTT  cl  d; 

88  ((ee"i)-clAc-d)A(dcGA«cl-X)Ad-IF  OENUM((b|b<clApair(p"cl,bXR})X 
THEN  {b|b<clAPair(p"cl,bXR}  ELSE  {b|b<clApair(p"d,bXB}))  (88) 

*****AOOFACTS  e9elelelele2el  ASSUME  T; 

Goal  e9«lelel«le2el:  IF  DENUM({b|b<(ee”i)Apair(p"(ee"i),bXR})  THEN  X 
{b|b<(ee“i)Apair(p"(ee"i),bXR}  ELSE  {b|b<(ee“i)Apair(p"(ee"i),bXB}-c 

*****PREPAREi 

89  d— IF  DENUM({b|b<c  1  Apair(p"c  1  ,bXR})  THEN  {b|b<dApair(p"cl,bXR}  EX 
LSE  {b|b<c  1  Apair(p"c  1  ,bXB}  (88) 

90  ->(cl"X)  (88) 

91  clcG  (88) 

92  c-d  (88) 

93  (ee"i)-cl  (88) 

94  cl"X«FALSE  (88) 

*****TRY  USING  REWRITE  BY  {TT.TTT.TtTTtT}; 

95  IF  DENUM({b|b((ee’,i)Apair(p',(ed’,i)^XR})  THEN  {b|b<(#s"i)Ap«ir(p% 
(ee"i),bXR}  ELSE  {b|b<(ee’,i)Apair(pWi),bXB}-c  (84) 
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96  (<SET{ee"i)A$ET(c))A3cl  d.(((ee"i)«dAc-d)A(clcGAHcl-X)Ad«IF  DEM 
UM({b|b<clApair(p"cl,bXR})  THEN  {b|b<clApair(p"cl,b)(R}  ELSE  {b|b<cl% 
Apair(p"cl,bXB}))))3lF  DENUM({btb«ee"i>Apair(p"(ee',i),bXR})  THEN  (K 
b|b«ee"i)Apair(p’’(ee,,i),bXR}  ELSE  {b|b((ee*'i)Apair(pM<ee"i),b}<B}-c« 

*****TRY  USING  a); 

97  IF  DENUM({b|b<(eeHi)Apair(p"(ee"i),b)<RJ)  THEN  {bjb((ee“i)Apair(p"X 
(ee"i),b)<R}  ELSE  {b|b<(ee"OApair(p"lee,,i),bXB}-c  (97) 

Goal  *9#1*1*1*1*1*1*1:  $ET(ee''i)ASET(c) 

Goal  *9*1#1#1*1«*1#1«*2:  3cl  d.(((ee“i)=clAc*d)A(cleGA(i(cl-X)Ad-IF  DEK 
NUM({b|b<clApair(p”cl,bXR})  THEN  {b|b<clApair<p,'cl,bXR}  ELSE  {b|b(cX 
lApair(p”cl,bX8}))) 

*****TRY  USING  EG  ee"i  t:#l; 

Goal  #9«1*1*1#1#1*1#2«1:  ((ee''i)=(ee''i)Ac*=IF  OENUM({b|b<{ee"i)Apair{X 
p"(ee"i),bXR})  THEN  {b|b<<ee"i)Apair(p"<ee"i),b)<R}  ELSE  {b|b<(ee"i« 
Apair(p"(ee"i))bXB})A((ee"i)cGA(-((ee"i)-X)AlF  DENUW({b|b<(ee“i>Apai^ 
r(p"(ee"i),bXR})  THEN  {b|b<(ee>i)Apair(p”(ee"i)1bXR}  ELSE  {b|b<(ee"5f 
i)Apair(p"(ee"i),bHB}-IF  DENUM({b|b<(ee,,i)Apair(p"(ee"i),bXR})  THENK 
{b|b<(ee"i)Apair(p"(ee"i),bXR}  ELSE  {b[b<(ee"i)Apair(p"(ee"i)>b)<B})) 

*»***VE  AUX3  ee"ii 

98  DENUM(ee"i)3->((ee"i)»X) 

*****TAUT  T:#2  79  T: 

99  -«ee"i)-X)  (78) 

*****TRY  USING  REWRITE  BY  (80  T.TTT}; 

100  ((eeHi)-(ee"i)AC-lF  DENUM<{blb<(ee"i)Apair(pM(ee"i),bXR})  THEN  {% 
b|b<(ee"i)Apair(p”(ee"i),b)<R}  ELSE  {b|b<(eeni)Apair(p"(ee"i),b)<B})A« 
((ee"i)cGA(-((ee"i)«X)AlF  OENUM({b|b<(ee,'i)Apair(p"(ee"i)1bXR})  THEM 

{b|b<(ee"i)Apair(p"(eeHi),bXR}  ELSE  {b|b((ee"i)Apair(p"(ee"i).b)cB}% 

-IF  DENUM({b|b<(ee"i)Apair(p"(ee"i),b)<R})  THEN  {b]b<(ee,,i)Apair{p‘*(e^ 
eMi),b)(R}  ELSE  {b|b<(ee"i)Apair<p"(ee"i),bXB}))  (78  97) 

101  3c  1  d.(((ee"i)-clAc-d)A(clcGA(’(cl»X)Ad-IF  OENUM({b|b<clApair(p',cl,b),<( 
<R})  THEN  {b|b<clApair(p"cl,b)<R}  ELSE  {b|b<clApair(p"cl,bXB})))  (78  97) 


***#«VE  74  ee“i  p"(ee"i); 

102  ((ee"i)cGA(DENUM(ee"l)A(p"(eeBi)X(ee"i)))3(DENUM({b|b((eeHi)Apai,-( 
r(p"(ee"i),bXR})vDENUM({b|b<(ee“i)Apair(p"(ee,'i)1bXB}))  (1) 

«***VE  CHOOSEP  ee"i; 

103  ((ee”i)cGA-K(ee"i)-X))3(p”{ee"i)X(ee"i)  (13) 
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♦♦♦♦♦TAUT  DENUM<97:#1)  79  80  99  TT:; 

104  DENUMOF  DENUM({b|b«eeBi)Apair<pB<eeBi),bXR})  THEN  {b|b<(eeHi)A% 
pair(p"(ee"i),b)<R}  ELSE  {b|b<(eeBi)Apair(pB(eeBi),b)<B}>  (1  13  78) 

♦♦♦♦♦REWRITE  T  BY  {97}; 

1  substitutions  were  made 

105  DENUM(c)  (1  13  78  97) 

♦♦♦♦♦TRY  USING  MONADIC  79  T  AUX1; 

106  SET(ee"i)ASET(c)  (1  13  78  97) 

107  ($ET(ee"i)A$ET(c))A3cl  d.(((eeBi>«dAc«d)A(clcGA(-.{cl-X)Ad-IF  DENX 
UM({b|bCclApair(p"cl,b)(R})  THEN  {b|b<dApair(pBcl,bXR}  ELSE  {b|b<dX 
Apair(pMcl,b)(B})))  (1  13  78  97) 

108  IF  DENUM({b|b<(ee"i)Apair(p"(ee”i),b)(R})  THEN  {b(b<(ee"i)Apair(pX 
"(ee"i),b)(R}  ELSE  {b|b<(eeBi)Apair(p"<ee,,i),bXB}-c3«SET(eeBi)ASET(K 
c))a3c1  d.(((ee"i)«c  1  Ac«d)A(c  1  cGa(-(c  1  -X)Ad«IF  DENUM({b|b<clApair(p"cl,b)% 
<R})  THEN  {b|b(clApair(pBcl,b)(R}  ELSE  {b|b(clApair{p”cl,b)(B)))))  (1  13  78) 

109  IF  DENUM({b|b<(ee“i)Apair(p,,(ee,,i),bKR})  THEN  {b|b((eeHi)Apair(pK 
"(eeMi),b)<R}  ELSE  {b|b<(eeBi)Apair(p"(ee“i),bXB}«c*<(SET<eeBi)ASET(K 
c))a3c1  d.(((ee"i)-clAc-d)A(clcGA(-(cl-X)Ad=IF  DENUM{{b|b(clApair(pBcl,b)X 
<R})  THEN  {b|b<clApair(p"cl,bXR}  ELSE  {b|b(clApair{p“cl,b)(B}))))  (1  13  78) 

110  Vc.OF  DENUM({b|b<(eeBi)Apair(pB(ee"i),bXR})  THEN  {b|bc(eeBi)ApaX 
ir(pB(ee"i),b)<R}  ELSE  {b|b<(eeBi)Apair(pB<ee"i),bXB}«CH((SET(eeBi)A% 
SET(c))a3c1  d.(((eeBi)=clAc«d)A(clcGA(-<(cl»X)Ad«IF  DENUM({b|b(clApairX 
(pBcl,bXR})  THEN  {b|b<d Apair(p"cl,b)<R}  ELSE  {b|b<clApair(pBcl,bXBK 
})))))  (1  13  78) 

1 1 1  Vc.OF  DENUM({b|b<(ee"i)Apair(p"{ee"i),b)<R})  THEN  {b|b<(eeBi)Apa% 
ir(p"(eeBi),bXR}  ELSE  {b|b<(ee"i)Apair{p"(ee''i),b)<B}-csopair(ee"i,C/£ 

X{b|3c  d.(b-opair(c,d)A(ccGA(-.(c«X)Ad*=IF  DENUM({bfb(cApair(p"c,b)<R}X 
)  THEN  {b|b(cApair(p"c,bXR}  ELSE  {b|bccApair(p"clb)cB))))}XVc.(IF  D% 
ENUM({b|b<(eeBi)Apair(pB(ee"i),bXR})  THEN  (b|b((ee"i)Apair(p”(ee"i),X 
b)<R}  ELSE  {b|b<<ee"i)Apair(pB<ee"i)1bXB}-c*((SET(eeBi)ASET(c))A3d  X 
d.«(eeBi)-=c  1  Ac=d)A(c  1cGa(-(c  l  =X)Ad=IF  DENUM({b|b(c  1  Apair(p"c  1  ,bXR})% 

THEN  {b|b<clApair(pBcl,bXR}  ELSE  {b|b(clApair(pBd,b)<B}))))) 

112  Vc.OF  DENUM({b|b((eeBi)Apair{p"(ee“i),bXR})  THEN  {b|b((ee"i)Apa% 
ir(pB<ee"i),bXR}  ELSE  {b|b((ee"i)Apair<pB(ee"i),b)cB}»c«opair(eeBi,cK 
X{b|3c  d.(b-opair(c,d)A(ccGA(^{c-X)Ad“IF  DENUM{{b)b<cApair{pBc,b)<R}% 

)  THEN  {b|b<cApair<pBc,b)(R}  ELSE  {bjb<cApair(p"c,bXB}))>})  (1  13  78) 

113  3d.Vc.(d-c«opair(ee”i,cX{b|3c  d.(b-opair(c,d)A(ccGA(-(c»X)Ad-IF  X 
DENUM({b|b<cApair(pBc,bXR})  THEN  {b|b<cApair(p"c,bXR}  ELSE  {b|b(CApt( 
air(pBc,b)<8})))})  (1  13  78) 

RESOLVE  3d.Vc.(d»c»opair(eeBi,c)<{b|3c  d.{b“opatr(c,d)A(ccGA(-(c-X)AdK 
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-IF  DENUM({b|b<cApair(p"c,bXR})  THEN  {b|b(cApair(pHc,b)<R{  ELSE  (b|bX 
(CApair(p‘’c,b)<B})))})3opair(ee"i,{bpc  d.(b-opair(c,d)A(ccGA(-(c-X)AX 
d— IF  DENUM({b|b<cApair(p"c,b)<R})  THEN  {b|b<cAPair(p"c,b)(R}  ELSE  {b|X 
b<cApair{p"c,b)<B})))}"(ee"i))<{bPc  d.(b»opair(c,d)A(ccGA(-(c-X)Ad-IX 
F  OENUM({b|b<cApair{p"c)b)<R})  THEN  {b|b(cApair(p“c,b)(R}  ELSE  {b|b<cX 
Apair(p“c,b)(B})))} ,  3d.Vc.(d«csopair{ee”i,cX{bPc  d.{b»opair(c,d)A% 
(ccGA(-(c-X)Ad-IF  DENUM{{b|b(cApair{p“c,b)(R})  THEN  {b|b<cApair(p"c,bX 
XR}  ELSE  {b|b<cApair(p"c,b)<B})))})  -»-»  opair(ee“i,JbPc  d.(b-opair(cX 
,d)A(ccGA(-(c-X)Ad-IF  DENUM({b|b(CApair{p"c,b)(R})  THEN  {b|b<cApair(pX 
"c,b)(R}  ELSE  {b|b(cApair{pHc,bKB})))}"{ee"i)XJbPc  d.(b-opair(c,d)X 
A(ccGA(-(c-X)Ad»IF  OENUW{{b|b<cApair{p,,c,b)<R})  THEN  {b|b<CApair(p"c,X 
b)CR}  ELSE  {b|b<cApair(p"c,bXB})))} 

114  opair(ee"i,{b|3c  d.(b=opair(c,dMccGA<-<c-X)Ad-=IF  DENUM({b|b<CApX 
air(p"c,b)<R})  THEN  {b|b<CApair(p"c,bXR}  ELSE  {b|b(cApair(p"c,bXB})X 
))}H(ee"i))({b|3c  d.(b-opair(c,d)A(ccGA(-(c-X)Ad-IF  DENUM({b|b(cApairX 
(p"c,bXR}>  THEN  {b|b<cApair(p"c,bXR}  ELSE  {b|b<cApair(pHc,bXB})»}  (1  13  78) 


**«*VE  112  T:#l#2; 

115  IF  DENUM{{bib«eeBi)Apair(p”(ee,,i),bXR})  THEN  {b|b<(ee"i)Apair(p% 
"(ee"i),b)(R}  ELSE  {b|b<(ee"i)Apair{p"(ee"i),bXB}»{{b|3c  d.(b«opair(X 
c,d)A(ccGA(-<(c-X)Ad-IF  OENUM({b|bccApair(p“c,bXR})  THEN  {b|b«cApair(X 
p"c,b)<R)  ELSE  {b|b(cApair(p"cIb)<B})))},,(ee“i»E0pair(ee"i,{bpc  d.« 
b-opair(c,d)A(ccGA(n(c-X)Ad-IF  OENUM({b|b<CApair(p"c,b)<R})  THEN  {b|bX 
<cApair(p"c,b)<R}  ELSE  {b|b<cApair(p,,c1bX8})))}"(ee'‘i)X{bpc  d.(b«oX 
pair(c,d)A(CcGA(-(c-X)Ad-IF  DENUM({b|b<CApair(p"c,bXR})  THEN  {b|b<cAX 
pair(p"c,b)<R}  ELSE  {b|b<cApair(p"c,b)<B})))}  (1  13  78) 

♦****VE  EEOEF  ii 

116  (ee"SUC(i))-({bPc  d.(b-opair(c,d)A(ccGAWc-X)Ad-IF  DENUM({b|b<cX 
Apair(p"c,b)<R})  THEN  {b|b<cApair{p"c,b)<R}  ELSE  {b|b(cApair(p"c,bXBK 
})))}"(ee”i))  (17) 

*****REWRITE  TT  BY  (TTT)uLOGICTREE; 

2  substitutions  were  made 

117  IF  DENUM{{b|b((ee"i)Apair(p,,(ee''i),b)(R})  THEN  {b|b<(ee"i)Apair(pX 
"(ee"i),b)<R}  ELSE  {b|b<(eeHi)Apair(pM(ee"i).bXBH{b|3c  d.(b-opair(X 
c,d)A(ccGA(-^c-X)Ad-IF  DENUM({b|b<cApair(p"c,b)<R})  THEN  {b|b<cApair(X 
p"c,b)<R)  ELSE  {b|b<cApair(p"c,b)<B})))}''(ee"i))  (1  13  78) 

*****SUBSTR  T  IN  TT; 

118  <ee"SUC(i))-IF  DENUW{b|b<(ee"i)Apair(pH(ee”i),bXR})  THEN  {b|b«X 
ee"i)Apair(pM(ee"i),b)<R}  ELSE  {b|b((ee"i)Apair(pH(ee"i),b)<B)  (1  13  17  78) 

*****SUBSTR  T  IN  104; 

119  DENUM(ee"SUC(i))  (1  13  17  78) 
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♦♦♦♦♦QED  *8*2*1 *1*2; 

♦♦♦♦♦TRY  USING  REWRITE  8V  {TT,SU8SET}uARGIFTREEi 

Goal  *8*2*  1  *  1  *  1 « 1 :  Vc.(((DENUM(!b!b<(ee"i)Apair(p"(ee“i>,bXR5):>(SETX 

(c)A(c<(ee"i)Apair(p’,(ee"i),cXR}))A(-DENUM({b|b<(ee"i)Apair(p,'(ee"i)K 

,bKR})3(SET(c)A(c<(ee"i>Apair<p"{ee"i)(c)<B»))3C<G> 

*****TRY  USING  ELIMINATION; 

Goal  «8*2*1*1  *1*1*1:  (<DENUM({b|b<(ee“i)APair(p"(ee,,i),bXR})3(SET(cK 
)A(cc(ee"i)Apair(pH(ee“i)>c)<R)))A(-DENUM{{b|bc(ee*,i)Apaif(p"(eeBi),b^ 
)<R})3(SET(c)A(c<(ee"i)Apair<p"(ee“i),cXB))))3c<G 
Goal  »8*2«1*1*1«1«1«1:  c<G 

♦♦♦♦♦PREPARE; 


120  (DENUM<{b|b((ee"i)Apair(p"(ee"i),b)(R})3(SET(c)A(c<(ee“i)Apair(p"X 
(ee"j),cXR)))A(-DENUM({b|bc(ee"i}Apair(pH(ee"i),b)(R}}o{SET<c)A(c<(eX 
e"i)Apair(p"(ee"i),cXB)))  (120) 

121  -DENUM({b|b<(ee"i)Apair(p"(eeBi),bXR})o{SET(c)A(c<(ee"i)Apair(p"X 
(ee"i),c)<B))  (120) 

122  DENUM({b|b«ee"i)Apair(p"(ee"i),bXR})3(SET<c)A<c<(ee"i)Apair(p"(X 
ee"i),cXR»  (120) 

♦♦♦♦♦YE  EOGERB  pair<p"(ee"i),c); 

123  pair(p-(ee"i),cXEDGESET(G)H(pair(p"(ee"i),cXRvpair(p"(eeMi),cXB)  (1) 
♦♦♦♦♦REWRITE  T  BY  {EDGESET  AUX12}; 

1  substitutions  were  made 

124  ((p"(ee"i)XGA(c<GA-'((p"(ee"i))-c))X(pair(p"(ee',i),c)<Rvpair(p"(5( 
ee"i),c)(B)  (1) 

♦♦♦♦♦TRY  USING  TAUT  120  ft:; 

125  c<G  (1  13  17  78  120) 

126  {(DENUM<{btb<(eeMi)Apair(p"(ee"i),bXR})3(SET(c)A(c((ee,,i)Apair(p< 
"(eeHi),cXR)))A(-DENUM({b|b<(ee"i)Apair(pn(ee"i),bXR})o(SET(c)A(c€(K 
ee"i)Apair(p"(eeHi),c)<B))))3c<G  (1  13  17  78) 

127  Vc.(((DENUM({b|b<(eeHi)Apair(p"(ee"i),bXR})3(SET{c)A(c<(ee"i)ApaK 
ir(p"(ee,’i),cXR)))A(-OENUM({b|b((ee"i)Apair(p"(ee''i),bXR})o(SET(c)A% 
(c«ee"i)Apair(pH(ee"i),cXB))))oc<G)  (1  13  17  78) 

128  (ee"SUC(i))cG«Vc.(((DENUM({b|b<(ee"i)Apair(p"(ee"i)IbXR}):>(SET(cX 
)A(c<(ee"i)Apair(p"(ee"i),cXR)))A(-'OENUM({b|b<(ee"i)Apair(p"(ee"i),bK 
XR}b(SET(c)A(c((ee"i)Apair(p"(ee"i),cXB))))oc(G)  (1  13  17  78) 
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129  <ee"SUC<i))cG  (1  13  17  78) 

130  (ee"SUC(i))cGAD£NUM(ee"SUC(i))  (1  13  17  78) 

131  ((e®"i)cGADENUM<ee*i))3«ee‘,SUC(i))cGADENlJM(8e’,SUC(i)))  (1  13  17) 

132  Vi.(((ee"i)cGA0ENUM(ee"i))3«eeMSUC(i))cGA0ENUM(eeHSUC(i))))  (1  13  17) 

133  Vi.«ee“i)cGADENUM(ee"i))  (1  13  17) 

*****G0Al  Vi.(ee"SUC(i)c<ee"i)\singl(p’'(ee“i))): 

Goal  *10:  Vi.(ee"SUC(i))c((ee"i)  \  singl(p“(ee“i))) 

«****0E0  78  118; 

134  ((ee"i)cGADENUM(ee"i))3(ee"SUC(i))-IF  DENUM({b|b<(ee,,i)Apair(p',(eX 
e"i),b)<R))  THEN  {b|b({ee"i)Apair(p"{ce"i)(b)<R}  ELSE  {b|b<(ee"i)ApaiX 
r<p"(ee*i),bXB}  (1  13  17) 

***«REWRITE  T  BY  {TtJuLOGICTREE; 

2  substitutions  were  made 

135  (ee"SUC(i))-IF  OENUM({bjbc(ee"i)Apair(p“(ee"i).bXR})  THEN  {b|bc(% 
ee"i)APair(p"(ee"i),bXR}  ELSE  {b|b((ee*i)Apair(p"{ee“i),bXB)  (1  13  17) 

*****LA8EL  SUCI ; 

*«**VI  T  i; 

136  Vi.(ee"SUC(i))-IF  DENUM([b|b<(ee”i)Apair(p,'(eeBi)>bXR}>  THEN  {b|X 
b<(ee"i)Apair(p"(ee"i),bXR}  ELSE  {b|b<(ee"i)Apair(p,,(ee"i),bXB}  (1  13  17) 

*»***VE  AUX11  p*(ee"i)  ee"i; 

137  SET(p"(ee*i))3Vc.(c<((ee"i)  \  sing!(p"(ee"i)))i(c€(ee"i)A-'(c-(p"(ee“i))))) 
**»**M0NADIC  T:#l  133  AUX3  AUX4  103; 

138  SET(p"(ee"i))  (1  13  17) 

*****TAUT  Tt:*2  ft:; 

139  Vc.(c(«ee"i)  \  singl(p"{ee"i)))*{c<(eeni)A-^c-(p,\ee"i)))))  (1  13  17) 
*****TRY  USING  REWRITE  BY  {SUCI  SUBSET  TJuARGlFTREE; 

Goal  elOel:  Vi  c.(((DENUM({b|b<(ee“i)Apair{p"(ee"i)lb)cR})3(SET(c)A(X 

c<(ee"i)Apair(p"(ee,'i),c)<R)))A(-'DENUM{{b|b<{ee''i)Apair{p"(eeni),bXR1i 

})3{SET(c)A(c<(eemi)Ap3<r(p'(ee"i),c'Xd))))3(ci(ee,,i)A^C“{p'(eemi))))) 
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***«TRY  USING  VI; 

Goal  elOelel:  ((DENUMUb|bc(ee"i)Apair(p*,(ee"i>,b>cR})3(SET(c>A(c<(ett 

e"i)Apair(p"(ee"i),c)<R)))A{-DENUM{{b!b({ee"i)Apair(pH(ee”i))b)(R})o(,-< 

SET(c)A(c((ee*,i)Apair{p“(ee,,i),£HB)))>3{c<{ee"i)A-(c-(pM(ee"i)))) 

*****TRY  USING  TAUTEQ  124; 

140  «DENUM({b|b<(ee“i)Apair(pM(ee"i),b)<R})3{$ET{c)A<c((ee"i)Apair(pX 
H(ee"i),cXR)))A<-DENUM<{b|bc(eeBi)Apair(p"<ee"i),b)<R})o<$ET(c)A(cc(!< 
ee"i)Apair(p"(ee"i),cXB))))3(c<(ee“i)A-(c-(p"(ee"i»))  (1) 

141  Vi  c.<((DENUM{{b|b((ee"i)Apair(p“(ee',i)1bXR}}3(SET{e)A(c<(ee,,i>AX 
pair(p-(ee"i),c)<R)))A{-DENUM({b|b((ee"i)Apair(pH(ee"i)lb)<R})3(SET(cX 
)A(c<(ee"i)Apair(p"(ee"i)tc)<B))))3(c<(ee"i)A-^c-(p“(ee''i)))))  (1) 

142  Vi.(ee"SUC(i))c((eeBi)  \  singi(p**(ee“i)))=Vi  c.«(DENUM({b|b«ee"K 
i)Apair(p"(ee“i),b)cR})3(SET(c)A(c<(ee"i)Apair(p"{ee"i),c)<R)))A(-DEN% 
UM({b|b((ee"i)Apair(p"(ee"i),bXR})3(SET(c)A(c«(ee"i)Apair(p"(ee"i),c1i 
XB))))o(c<(ee"i)A-(c«(p"(ee"i)))))  <1  13  17) 

143  Vi.(ee"SUC(i))c((ee"i)  \  singl(pH(ee“i)))  (1  13  17) 

*****G0AL  Vj  i.(j  LT  ioee“icee“SUC(j)); 

Goal  ell:  Vj  i.(j  LT  io(ee"i)c(ee"SUC<j))) 

*****TRY  USING  VI  j; 

Goal  el  lei:  Vi.(j  LT  P<ee,'i)c<eeBSUC<j))) 

*****TRY  USING  INDUCTION; 

Goal  all  el  el:  j  LT  Xs(ee"JOc<ee"SUC(j)) 

Goal  ellele2t  Vi.((j  LT  i=<eeBi)c<ee“SUC(j))):><j  LT  SUC(i)o{ee"SUC(i% 
))c(ee"SUC(j)))) 

*****TRY  1  USING  REWRITE  BY  {LESS4}; 

144  j  LT  \3{ee"\)c(ee"SUC(j)) 


*****TRY  USING  REWRITE  BY  {LESS7); 

Goal  «U«1*2*1:  Vi.((j  LT  io<ee"i)c<ee"$UC<j»)3«j-ivj  LT  i>3<ee"$U% 
C(i))c(ee"SUC(j)))) 

***»*TRY  USING  ELIMINATION; 

Goal  sllele2eleli  (j  LT  io<eeBi)c{eeBSUC<j)))3«j-ivj  LT  i)3<ee"$UC<% 
i))c(ee"SUC(j))) 

Goal  « 1 1 « 1  «2*  1*1*1:  (j-ivj  LT  i)o<ee"SUC(i))c(eeHSUC<j» 

145  j  LT  i3<e#"i)c(ee"SUC(j))  (145) 
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Goal  ellel#2elelelel:  (ee"SUC(i))c{ee-SUC(j)> 

146  j-ivj  LT  i  (146) 

Goal  ellele2elelelelel:  j-i=(ee"SUC(i))c(ee“SUC(j)) 

Goal  eUele2elelelele2:  j  LT  b(ee"SUC<i))c{ee"SUC(j)) 

Goal  •ll«le2elelelelel«l:  (ee”SUC(i))c(ee"SUC(i)) 

Goal  *1 1*1»2*1*1*1«1*2«1:  <ee"SUC(i))c{eeBSUC(j)> 

*****PREPARE; 

147  j  LT  i  (147) 

RESOLVE  j  LT  io(eeBi)c<eaBSUC(j )) ,  j  LT  i  -»-» (ee"i)c(ee"SUC(j)) 

148  (ee"i)c(ee"SUC(j))  (145  147) 

**«*VE  143  i; 

149  (ee"SUC(i))c((ee"i)  \  sinel(pB(eeBi)))  (1  13  17) 

***t*VE  AUX29  ee“i  singl(p"(ee*i))i 

150  ((ee"i)  \  singl(p"(ee"i)))c{ee"i) 

**«*YE  AUX23  149:«1  149:*2  150:«2; 

151  ((ee"SUC(i))c((ee"i)  \  singl(p“{ee”i)))A((ee"i)  \  singl(pB(eeBi))X 
)c(ee"i  ))o(ee"SUC(i))c(ee"i ) 

***«VE  AUX23  T:«2«l  T:#2#2  148:#2; 

152  ((ee"SUC(i))c(ee”i)A(ee,,i)c(ee"SUC<i)))o(ee"SUC(i))c{ee"SUC(j» 

*****TRY  USING  TAUT  148:; 

153  (ee"SUC(i))c(ee"SUC(j))  (1  13  17  145  147) 

154  j  LT  io(ee"SUC(i))c(ee"SUC(j))  (1  13  17  145) 

***«TRY  USING  REWRITE  BY  {SUBSET); 

155  j-i  (155) 

156  (ee"SUC(i))c(ee"SUC(j))  (155) 

157  j-io(ee"SUC(i))c(ee"SUC(j)) 

158  (ee"SUC(i))c(ee"SUC(j))  (1  13  17  145  146) 

159  (j-ivj  LT  i)3(ee"SUC(i))c(ee,,SUC(j))  (1  13  17  145) 

160  (j  LT  i3(ee"i)c{ee"SUC(j))M(j-ivj  LT  i)=(ee"SUC(i))c(ee"SUC(j)))  (1  13  17) 
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161  Vi.«j  LT  i3(ee"i)c(ee"SUC{j)))={(j-ivj  LT  i)3<ee"SUC(i))c(ee"SUC(j))))  (1  13  17) 

162  Vi.((j  LT  i3<eeMi)c<eeMSUC(j)))o(j  LT  SUC(i)=>(ee"SUC<i))c{ee"$UC(j))))% 

■Vi.«j  LT  i3(ee*i)c(ee"SUC<j)))3«j-ivj  LT  i):><ee"SUC(i))c(ee"$UC(j)») 

163  Vi.((j  LT  i3(ee"i)c(ee"SUC(j)))3(j  LT  SUC(i)o(ee,,SUC(i))c(ee-SUC(j))»  (1  13  17) 

164  Vi.(j  LT  ia(eeMi)c{eeHSUC{j)))  (1  13  17) 

165  Vj  i.(j  LT  ia(ee"i)c(eeHSX(j)))  (1  13  17) 

♦♦♦♦♦GOAL  FNC(C0NV(48:«  1  ))aDOM{48:#  1  )-omegaARNG(48:«  1  )cG; 

Goal  #12:  FNC(CONV({bpk.b-opair{k(p>e"k))}))A(DOM({bpk.b-opair(kV 
,pM(ee,'k))})«omegaARNG({bi3k.b-opair(k>p"(ee“k))})cG) 

♦♦♦♦♦VE  DOM  48:#  1; 

166  FNC({bpk.b-opair{k>p"(eenk)>})3DOM({bPk.b-opair(k1p"{ee"k))})-{X 
cpa.opair(c,a)<{bPk.b«opair(k,pH(ee"k))}) 

♦♦♦♦♦VE  RNG  48:#  1; 

167  FNC({bPk.b-opair(k,p"(ee"k))})3RNG({bPk.b-opair(k,p"{ee"k))})-{X 
cPa.opair(a,cH{bpk.b«opair(k,p"(ee"k))}} 

♦♦♦♦♦VE  COIW  48:#  li 

168  REL({b|3k.b-opair(k1p"(ee,,k))}PCONV({bPk.b-Opair(k1p"<ee"k))})-lt 
{cPa  b.(c-opair(a,b)Aopair(b,a)<{bPk.b«opair(k1p”{ee“k))})} 

♦♦♦♦♦REWRITE  48  BY  {FNC}; 

1  substitutions  were  made 

169  REL({bPk.b»opair(k,p"(ee”k))})AVb  c  d.((opair(b,c)<{bPk.b»opair% 
(k,p"(ee,’k))}Aopair(b,d)<{bPk.b-opair(klp"(ee"k))))3c-d) 

♦♦♦♦♦TAUT  TTTT:«2  TTtT  48; 

170  DOM({bPk.b«opair(k,p"(ee"k))})-{cpa.opair{c(aK{bPk.b-opair(k,p"(ee"k))}} 
♦♦♦♦♦TAUT  TTTT:#2  TTTT  48; 

171  RNG({bPk.b-opair(k,p"(ee"k))})-{cpa.opair(a,c)<{bpk.b"Opair(k,p"(ee,'k))}} 
♦♦♦♦♦TAUT  TTTT-  2  TTTT.TTT; 

172  CONV({bPk.b«opair(k)p"{ee*k))})-{cpa  b.(c«opair(a,b)Aopair(b,a)51 
<  {bPk.b-opair(k,p“(ee"k))))} 


♦♦♦♦♦REWRITE  c -omega  BY  {KEXT}; 
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1  substitutions  were  made 

173  c-omega»Vcl.(cl<c«cl<omega) 

♦♦♦♦♦VI  t  c; 

174  Vc.(c»omega«Vc  1  .(c  Hcsc  Homega)) 

♦♦♦♦♦TRY  USING  REWRITE  BY  {FNC  REL  SUBSET  AUX5  AUX27  omega  T.TTt.TttT.TttTT}; 

Goal  *12*1:  (Vd.((SET(d)A3a  b.(d=opair(a,b)A<(SET(b)ASET(a))A3k.(b-kX 
Aa-(p"(ee"k))))))33b  c.d«opair(b,c))AVbl  c  d.«((SET(bl)ASET(c))A3a  b/£ 

.«b  1  -aAC-b)A((SET(b)ASET(a))A3Mb-kAa-{pB(ee"k))))))A«SET(b  1  )aSET« 
d))A3a  b.((bl-aAd-b)A((SET(b)A$ET{a))A3k.(b-kAa-(p,,(eeHk)))))))3c-d)« 
a(Vc  1  .((SET(c  1  )A3a.«SET(c  1  )ASET(a))A3k.(c  1  -kAa*=(p"(ee”k))»)*(SET(c  1 )% 
ANATNUM(cl)))AVc.((SET(c)A3a.((SET{a)ASET(c))A3k.(a-kAc-(pH(eeHk)))))Dc(G)) 

♦♦♦♦♦TRY  USING  ELIMINATION  DEPTH  3: 

Goal  #12*1*1:  Vd.((SET(d)A3a  b.(d«opair(a,b)A(($ET(b)A$ET<a))A3k.(b-1C 
kAa-Cp-lee-k)))))):^  c.d-opair(b,c))AVbl  c  d.«(($ET(bl)ASET(c))A3a  X 
b.((bl-aAc-b)A((SET(b)ASET(a))A3k.{b-kAa-(p,,{ee,*k)»)))A((SET(bl)ASET« 

(d))A3a  b.((b  1  -aAd-b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee,,k)))))))3C-d) 

Goal  #12*1*2:  Vc  1  ,«SET<c  1  )A3a.((SET(c  1  )ASET(a))A3k.(cl-kAa-(p"(eeVX 
)))))*{SET(c  1  )aNATNUM(c  1  )))AVc.«SET(c)A3a.«$ET(a)A$ET<c))n3k.(a-kAc% 
-(p"(ee"k)))))=>c<G) 

Goal  *12*1*1*1:  Vd.((SET(d)A3a  b.(d=opair(a.b)A((SET(b)A$ET(a»A3k.{X 
b-kAa«(p"(ee"k))))))i>3b  c.d»opair(b,c)) 

Goal  #12*1*1*2:  Vbl  c  d.((((SET(bl)ASET(c))A3a  b.«bl-aAc-b)A«SET<b* 
)ASET(a))A3k.(b-kAa-(p"(ee,,k)»)))A((SET(bl)ASET<d))A3a  b.{(bl-aAd-b» 
A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee“k)))))))3c-d) 

Goal  *12*1*1*1*1:  (SET(d)A3a  b.<d-opair<a,b)A((SET<b)ASET(a)>A3k.(b-X 
kAa-(p"(ee"k))))))33b  c.d“Opair(b,c) 

Goal  #12*1*1*2*1:  <«SET(bl)nSET(c))A3a  b.((bl«aAc-b>A(($ET<b)ASET(a* 
))A3k.(b-kAa-(p"(ee"k))))))A((SET(bl)ASET(d))A3a  b.«bl-aAd-b>A((SETrt 
b)ASET(a))A3k.(b-kAa-(p"(ee"k))))»)3c-d 

Goal  #12*1*2*1:  Vc l.((SET(c  1  )a33.((SET(c l)ASET(a))A3k.(c  1  -kAa-(p"<eeX 
”k)))))a(SET(c  1  )aNATNUM(c  1 ))) 

Goal  *12*1*2*2:  Vc.((SET(c)A3a.«SET(a)ASET(c))A3k.(a-kAc-(p"(ee"k)))))3c<G) 

Goal  #12*1*2*1*1:  (SET(c  1  )A3a.«SET(c  1  )nSET(a))A3k.(c  1  -kAa-fpWk)* 

))))»(SET(c  1  )aNATNUM<c  1 )) 

Goal  *12*1*2*2*1:  (SET(c)A3a.{(SET(a)ASET(c))A3k.(a-kAc-(p"(ee"k)))))oc<G 
♦♦♦♦♦REWRITE  133  BY  {SUBSET}; 

1  substitutions  were  made 

175  Vi.(Vc.(c<(eeHi)oc<G)ADENUM{ee"i))  <1  13  17) 

•♦♦♦♦REWRITE  103  BY  {SUBSET}; 

1  substitutions  were  made 

176  (Vc.(c<(ee"i)3c<G)A-«{(ee"i)-X))3(pH(ee"i)H(ee“i)  <13) 


/  v 
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**#**VE  AUX3  ee"ij 

177  DENUM(ee"i)3-«ee“i)-X) 

**«*VE  TTT  ij 

178  Vc.(c((ee"i)Dc<G)ADENUM(ee"i)  (1  13  17) 

*****MONADIC  p"(ee"i)(G  TTT:; 

179  (p"(ee"i)XG  (1  13  17) 

***«*V|  T  i; 

180  Vi.(p"(ee"i))<G  (1  13  17) 
t****TRY  USING  MONADIC  T; 

181  (SET(c)A3a.((SET(a)ASET(c))A3Ma-KAc-(p"(ee“K)))))3c<G  (1  13  17) 

182  Vc.((SET(c)A3a.((SET(a)ASET(c))A3K.(a-kAc-(p"{ee"K)))»3c<G)  <1  13  17) 

***«VE  SET  p"(ee"i)j 

183  SET(p"(ee,,i))»3b.(p''(ee"i))cb 
*****MONADIC  T:«l  TTTTT.T; 

184  SET(p"(ee"i))  (1  13  17) 

*****LABEL  SETPEEI; 

***»*VI  T  i; 

185  Vi.SET(p"(ee"i))  (1  13  17) 

*****TRY  USING  ELIMINATION; 

Goal  »12*1*2«1«1»1:  (SET(c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  -kAa-(p"(ee"% 
K)))))s(SET(c  1  )aNATNUM(c  1 )) 

Goal  *  1 2*  1  «2«  1  a  1  «2:  (SET(c  1  )aNATNUM(c  1  ))=><$ET(c  1  )A3a.«SET(c  \  )aSET(s% 
))a3Mc  1  «kAa«(p"(ee',k))))) 

Goal  »12»ltt2«l«l»l»l:  SET(c1)aNATNUM(c1) 

186  SET(cl)A3a.((SET(cl)ASET(a))A3k.(cl-kAa-(p"(ee"k))))  (186) 

187  3a.((SET(d)ASET(a))A3k.(cl-kAa-(p"(ee"k))))  (186) 

188  SET(cl)  (186) 

Goal  •12*1»2«1«UU1»1:  SET(d) 

Goal  «12»l*2ttlttl«l»ltt2:  NATNUM(cl) 

Goal  a  1 2a  1  e2#  1  a  1  a2a  1 :  SET(e  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  -kAa-(p"(aa"k)))) 
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189  SET(c  1  )aNATNUM(c  1 )  (189) 

190  NATNUM(d)  (189) 

191  SET(cl)  (189) 

Goal  *12*1*2*1*1*2*1*1:  SET(d) 

Goal  *  1 2*  1  *2*  1  *  1  *2*  1  *2:  3a.((SET(c  1  )ASET(a))A3k.(c  1  -kAa-fp-fee-k)))) 
Goal  *12*1*2*1*1*2*1*2*1:  (SET(d)ASET(a))A3k.(d-kAa-(p"(ee"k)» 
Goal  *12*1*2*1*1*2*1*2*1*1:  SET(d)ASET(a) 

Goal  *12*1*2*1*1*2*1*2*1*2:  3Mcl*kAa-(pB(eeMk))) 

Goal  *12*1*2*1*1*2*1*2*1*1*1:  SET(cl) 

Goal  *12*1*2*1*1*2*1*2*1*1*2:  SET(a) 

Goal  *12*1*2*1*1*2*1*2*1*2*1:  cl-kAa-{p“(ee"k)) 

Goal  *12*1  *2*1  *1*2*1  *2*1  *2*1*1:  d-k 
Goal  *12*1  *2*1  *1*2*1  *2*1  *2*1*2:  a-(p”(ee"k)) 

♦♦♦♦♦TAUTEQ  d-d; 

192  d-d 

♦♦♦♦♦EG  T  d«-k  OCC  2; 

193  NATNUM(cl)o3k.d-k 
*****TAUT  T:«2  TTTT.T; 

194  3k.c  1  -k  (189) 

♦♦♦♦♦TRY  1  USING  UNIFY  T; 

195  3k.cl-k  (189) 

196  cl-k  (196) 

•♦♦•♦TRY  USING  EQUNIFYj 

197  3a.a-(p"(ee"k)) 

198  a-(p"(ee"k))  (198) 

199  d-kAa-(p"(ee"k))  (196  198) 

200  3k.(d-kAa-(p"(ee*k)))  (196  198) 

•♦♦♦♦TRY  USING  MONADIC  SETPEEI  TTT; 

201  SET(a)  (1  13  17  198) 

♦♦♦♦•SIMPLIFY  Vi.NATNUM(i); 
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202  Vi.NATNUM(i) 

*****TRY  #12*1 *2*1 #1*1 #1*2  USING  MONADIC  187  t; 

203  NATNUM(cl)  (186) 


*****TRY  #12*1*1*1*1  USING  MONADIC; 

204  (SET(d)A3a  b.<d-opair(a,b)A({SET<b)ASET(a))A3k.<b-kAa-(p,'(ee,’k)))X 
)))=>3b  c.d«opair(b,c) 

205  Vd.«SET(d)A3a  b.(d»opair(a,b)A((SET(b)ASET(a))A3k.(b-kAa-(p,,(ee"K 
K))))))=»3b  c.d«opair(b,c)) 


*****GOAL  Vi  j.(j  LT  io-eeMj-ee”i)  ASSUME  165; 

Goal  #13:  Vi  j.(j  LT  io-^ee'jKee-i))) 

***«TRY  USING  LOGIC; 

The  wff  of  this  goal  does  not  rewrite.  Sorry. 

Goal  *13*1:  j  LT  i=>-((ee"j)-(ee"i)) 

The  wff  of  this  goal  does  not  rewrite.  Sorry. 

Goal  *13*1*1:  -<(ee”j)-(ee"i)) 

206  j  LT  i  (206) 

RESOLVE  j  LT  iD<ee"i)c<eeBSUC(j)> ,  j  LT  i  -*->  <ee"i)c(ee"$UC(j)> 

207  (ee"i)c(ee"SUC(j))  (1  13  17  206) 

The  wff  of  this  goal  does  not  rewrite.  Sorry. 

We  have  a  failqueue  of  length:  1 

Starting  a  new  2-th  pass  on  new  queue  of  length:  1 

The  wff  of  this  goal  does  not  rewrite.  Sorry. 

We  have  a  failqueue  of  length:  1 
Failure:  can’t  prove  anything  on  failqueue. 

The  tactic  LOGIC  can’t  be  applied  to  goal 
Goal  *13:  Vi  j.(j  LT  i=>-((ee"j)-(ee,,i))) 

FACTS:  165  Yj  i.(j  LT  io(ee,,i)c(ee,'SUC(j))) 

Simpsets:  (  BY  LOGICTREE  COMPTREE) 

Reasons:  (VI  ((j  i)  j  i)  NIL) 

Number  of  sons:  1 

*#***VE  143  j; 

208  (ee”$UC(j))c((ee"j)  \  singl(p"(ee"j)))  (1  13  17) 

***«*VE  AUX23  TT:*1  T:#l  T:«2; 

209  ((ee"i)c(ee"SUC(j))A(ee"SUC(j))c((ee"j)  \  singl(p"(ee"j))))3(ee"iX 
)c((eeHj)  \  singKpWj))) 
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♦♦♦♦♦TAUT  t:»2  tTT:j 

210  (ee"i)c({ee"j)  \  singl(pB(eeBj)))  (1  13  17  206) 

♦♦♦♦♦MONADIC  pB<eeBi)  (  ee"i  103  133  AUX3; 

211  (p"(ee"i)X(ee”i)  (1  13  17) 

♦♦♦♦♦LABEL  PINEE-, 

♦♦♦♦♦VI  T  i; 

212  Vi.(p"(ee"i)X(ee"i)  (1  13  17) 

♦♦♦♦♦YE  AUX11  p“(ee"j)  eeBji 

213  SET(p"(ee"j))3Vc.(c<((ee"j)  \  singi{p,,{ee“j)))3(c<(ee“j)A^c-(p“(ee”j))))) 
♦♦♦♦♦RESOLVE  SETPEEI  T; 

RESOLVE  SET(p”(ee"j))3Vc.<c<((ee"j>  \  singKp“(ee"j)))»(c<(ee"j)A^c-% 
<p"(eeMj)))»  .  Vi.SET(p”(ee”i))  --  Vc.(c<((ee”j)  \  singl{p”{ee"i)))rt 
(c<(ee”j)A-(c»(p“(ee"j))))) 

214  Vc.(cC((ee"j)  \  singl(p"(ee“j)))s(c<(eeMj)A-.(c-(pB(ee”j)))))  (1  13  17) 
♦♦♦♦♦REWRITE  210  BY  {SUBSET}; 

1  substitutions  were  made 

215  Vc.(c«eeBi)3c<((ee"j)  \  singl(p“(ee"j))))  (1  13  17  206) 
♦♦♦♦♦MONADIC  -  pB(ee“j)  <  ee”i  TT;; 

216  -((pB(eeBj))<(eeBi))  (1  13  17  206) 

♦♦♦♦♦TRY  USING  REWRITE  BY  {KEXT  PilMEE  T}; 

Goal  •'Vc.(c((eeBjXc((ee"i)) 

♦♦♦♦♦TRY  USING  MONADIC  PINEE  T; 

217  •'Vc.(c<(eeBj)*cc(ee”i))  (1  13  17  206) 

218  •^(eeBj)-(eeBi))»-Vc.{c<(eeBj)sc((ee"i)) 

219  M(eeBj)-(ee"i))  (1  13  17  206) 

220  j  LT  io-((eeHjMeeBi»  (1  13  17) 

221  Vi  j.(j  LT  io-^(eeBjMee"i)))  (1  13  17) 
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♦♦♦♦♦MONADIC  Vi  j.(-i-p-ee"i-ee"j)  LESS2  T; 

222  Vi  j.Hi-j)=X(ee"i)-{ee"j)))  (1  13  17) 

♦♦♦♦♦MONADIC  -p"(eeMj)“p"(ee"i)  PINEE  216; 

223  -((p"(ee"j)Wp"(eeMi)))  (1  13  17  206) 

♦♦♦♦♦DED  206  T; 

224  j  LT  i=^((p"(ee-j)HpN(ee"1)))  (1  13  17) 

♦♦♦♦♦VI  T  j  i; 

225  Vj  i.(j  LT  i3-((p"(ee"j)Mp"(ee''i))»  (1  13  17) 

♦♦♦♦♦VE  T  i  j; 

226  i  LT  p-t((p’,(eeHi))-(p"(eeHj)))  (1  13  17) 

**,**MONADIC  T:«2#l=i=j  LESS2  TTT.T; 

227  (p"(ee"i))«(p"(ee"j))oi-j  (1  13  17) 

♦♦♦♦♦LABEL  INJPEE; 

♦♦♦♦♦VI  T  i  j; 

228  Vi  j.«p"(ee"i))-(pB(ee"j))3i-j)  (1  13  17) 

♦♦♦♦♦LABEL  INJEE  222; 

♦♦♦♦♦TRY  «12ttl»l»2«l  USING  si; 

Goal  <*12<*l«U2*il«l;  c«d 
♦♦♦♦♦PREPARE; 

229  ((SET(bl)ASET(c))A3a  b.«bl-aAc-b)A(($ET(b)ASET(a))A3k.(b-kAa-(p"X 
(ee"k))»»A«SET(b  1  )ASET(d))A3a  b.((b  1  -aAd-b)A((SET(b>ASET(a)>A3k.(bX 
-kAa-(p-(ee"k))))))  (229) 

230  3a  b.((bl-aAd-b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee,,l')))))  (229) 

231  SET(d)  (229) 

232  SET(bl)  (229) 

233  3a  b.((bl-aAc-b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee"k)))))  (229) 

234  SET(c)  (229) 

235  SET(bl)  (229) 
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***«ES  TTTTTT  a  b; 

236  (bl-aAd«b)A(<SET(b)ASET(a))A3Mb»kAa-(p"(ee”lO)>)  (236) 

*»***ES  tttt  al  cli 

237  (b  1  -a  1  ac-c  1  )a«SET(c  1  )ASET(a  1  ))a3Mc  1  -kAa  1  -(p"(ee“k)»)  (237) 
♦♦♦♦♦TAUT  TT:*2#2  TTj 

238  3k.(b-kAa«(p"<ee"k)))  (236) 

♦♦♦♦♦TAUT  TT:#2«2  TT; 

239  3k.(cl-kAal-(p"(ee"k)))  (237) 

♦♦♦♦♦ES  TT  i; 

240  b-iAa-(p"(ee"i))  (240) 

****»ES  TT  j; 

241  cl-jAal-(p"(ee"j))  (241) 

♦♦♦♦♦VE  INJPEE  i  ji 

242  (p"(ee"i))-(p"(ee"j))3i-j  (1  13  17) 

♦♦♦♦♦TRY  USING  TAUTEQ  T,TT,TTT, TTTTTT, TTTTTTT; 

243  c-d  (1  13  17  229) 

244  («SET(b  1  )ASET(c))A3a  b.((b  1  ■.aAC-b)A((SET(b)ASET(a))A3k.(b-kAa-(p% 
"(eeBk))))))A((SET(bl)ASET(d))A3a  b.«bl-aAd-b)A((SET(b)ASET(a))A3k.('/C 
b-kAa-(p"(ee"k)))))))3c-d  (1  13  17) 

245  Vbl  c  d.((((SET(bl)ASET(c))A3a  b.«bl-aAC«b)A«SET(b)ASET<a))A3k.X 
(b-kAa-(p"(eeMk))))))A((SET(b  1  )ASET(d))A3a  b.((b  1  -aAd»b)A((SET(b)ASET% 
(a))A3k.(b-kAa-(p”(eeHk)))))))3c«d)  (1  13  17) 

246  Vd.«$ET(d)A3a  b.(d-opair(a,b)A((SET(b)ASET(a))A3k.(b-kAa-{p’'(ee"X 
k))))))=3b  c.d-opair(b,c))AVbl  c  d.((((SET(bl)ASET(c))A3a  b.((bl-3Ac-X 
b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee"k))))))A((SET(bl)ASET(d))A3a  b.(% 
(bl-aAd-b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(ee"k))))»)3c-d)  (1  13  17) 

♦♦♦♦♦TRY  USING  LOGIC; 

247  Vbl  c  d.(«(SET(bl)ASET(c))A3a  b.«bl-aAc-b)A((SET<b)ASET(a)>A3k.K 
(b-kAa-(p"(ee"k))))))A((SET(bl)ASET(d))A3a  b.«bl-aAd-b)A«$E7(b)ASET!< 
(a))A3k.(b-kAa-(p"(ee"k)))))))=c-d)  (1  13  17) 

248  Vd.(\SET(d)A3a  b.(d-opair(a,b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(eeHX 
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k))))))o3b  c.d«=opair(b,c))  (1  13  17) 

249  SET(cl)  (189) 

250  SEKcl)ASET(a)  (1  13  17  189  198) 

251  (SET(cl)ASET(a))A3Mcl-kAa«.(p“(eeMk)))  {1  13  17  189  196  198) 

252  3a.{(SET(cl)ASET(a))A3k.(cl=kAa={p"(ee"k))))  (1  13  17  189) 

253  Vbl  c  d.«((SET(bl)A$ET(c))A3a  b.«bl-aAC-b)A<(SET(b)ASET(a»A3k.* 
(b-kAa-(p,,(ee"k)))))'A((SET(bl)ASET{d))A3a  b.((bl-aAd-b)A((SET(b)ASETC 
(a))A3k.(b*=kAa«=(p,,(ee"k)))))))oc=d)  (1  13  17) 

254  Vd.((SET(d)A3a  b.(d-opair(a,b)A((SET(b)ASET(a))A3k.(b-kAa-(p"(eeHX 
k))))))a3b  c.d*=opair(b,c))  (1  13  17) 

255  SET(cl)  (189) 

256  SET(cl)A3a.((SET(cl)ASET(a))A3k.(cl-kAa={p”(ee"k))))  (1  13  17  189) 

257  (SET(c  1  )aNATNUM(c  1  )):><SET<c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  =kAa-(p“K 
(ee"k)))))  (1  13  17) 

258  Vbl  c  d.((((SET(bl)ASET(c))A3a  b.((bl«aAc-b)A((SET(b)ASET(a))A3k.*/C 
(b=kAa-(p,,(ee"k))))))A((SET(bl)ASET(d))A3a  b.((bl«aAd«b)A((SET(b>ASETX 
(a))A3k.(b«=kAa>=(p"(ee,,k)))))))3c>=d)  (1  13  17) 

259  Vd.((SET(d)A3a  b.(d-opair(alb)A<(SET(b)ASET(a))A3k.<b-kAa«(p”(ee"X 
k))))))33b  c.d-=opair(b,c))  (1  13  17) 

260  SET(cl)  (186) 

261  SET (c  1  )aNATNUM(c  1 )  (186) 

262  (SET(c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  -kAa-(p,,(ea,’k))»)=>(SET(c  1  )aNATNUM(c  1 )) 

263  <$ET(c  1  )A3a.((SET(c  1  )ASET'a))A3k.(c  1  -kAj-(p"(ee,,k))))MSET(c  1  )aNK 
ATNUM(cl))  (1  13  17) 

264  Vc  1  ,((SET(c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  =kAa=(p',(ee,,k)))))s(SET(% 
cl)ANATNUM(cl)))  (1  13  17) 

265  Vc  l  .((SET(c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  «kAa*(p,,(ee,’k»»)s(SET(c  1  )'i 
ANATNUM(cl)))AVc.((SET(c)A3a.((SET(a)ASET(c))A3k.(a-kAc-(p"(ee"k)))))octG)  (1  13  17) 

266  (Vd.((SET(d)A3a  b.(d»opair(a,b)A((SET(b)ASET(a))A3Mb-kAa-(p',(ee)( 

”k))))))o3b  c.d*=opair(b,c))AVbl  c  d.(«(SET(bl)ASET(c))A3a  b.((bl-aAc*-( 
-b)A((SET(b)ASET(a))A3k.(b-kAa-=(p"(ee"k))))))A((SET(bl)ASET(d))A3a  b X 
((bl-aAd-b)A((SET(b)ASET(a))A3k.(b=kAa«={p,,(ee"k))))»)DC=d))A(Vcl.((S,-( 

ET(c  1  )A3a.((SET(c  1  )ASET(a))A3k.(c  1  -kAa-(p"(ee"k)))»E<SET(c  1  )aNATNUM(K 
cl)))AVc.((SET(c)A3a.((SET(a)ASET(c))A3k.(a-kAc-(p”(ee"k)))))3ccG))  (1  13  17) 

267  (FNC(CONV(!b|3k.b-opair(k1p"(ee"k))}))A(DOM({b|3k.b-opair(k,p"(eeK 
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“k»})-omegaARNG({b|3K.b-opair(k1p“(ee"k))})cG))5((Vd.((SET(d)A3a  b.(X 
d»opair(a,b)A{(SET(b)ASET(a))A3k.{b*kAa»(p"(ee',k))))))33b  c.d*=opair(b/( 
,c))AVbl  c  d.((«SET<bl)ASET<c))A3a  b.«bl-aAc-b>A((SET(b)ASET(a»A3k* 
.(b-kAa-(pM(ee"k))))))A«S£T(b  1  )ASET(d))A3a  b.((bl-aAd-b)A((SET(b)ASE* 
T(a))A3k.{b-KAa-(p"(ee"k)))))))=>c  -d)WVc  1  .«SET(c  1  )A3a.<(SET(c  1  )aSETX 
(a))A3k.(c  1  -kAa-(p"(ee"k)))))*(SET(c  1  )aNATNUM{c  1  »)AVc.((SET<c)/\3a.«X 
SET(a)ASET(c))A3k.<a-kAc-(p',(ee"k)))))oc<G))> 

268  FNC(CONV({b|3k.b*opair(k,p’'(ee"k))}))A{DOM({b|3k.b«opair(k,p',(ee"% 
k))})-omegaARNG({b|3k.b-opair(k1pH(ee“k))})cG)  {1  13  17) 

LOGIC  SUCCEEDED! 

*****TRY  ttUUltl  USING  Al; 

Goal  elelelelelt  RNG({b!3k.b-=opair(k,p"<ee"k»}  |  IF  DENUM({k|DENUM(X 
{b|b<(ee"k)Apair(p"(ee"k),b)(R})})  THEN  {k|DENUM({b|b<(ee"k)Apair(p"(X 
ee"k),bXR})}  ELSE  {kHDENUM({b|b<(ee“k)Apair(p“(ee"k),bXR})})cG 
Goal  #1*1*1#1#2:  DENUM(RNG({b|3k.b«opair{k,p“(ee"k))}  |  IF  DENUM({k|% 
DENUM({b|bc(ee”k)Apair(pM(ee"k),b)(R{)})  THEN  {k|DENUM<{b|b«ee"k)Apa< 
ir(p”(ee"k)(bKR))}  ELSE  {khDENUM({b|b<(ee”k)Apair(pM<ee”k),bXR})}>% 
)A(EDGESET(RNG({b|3k.b-opair(kIpB(ee,,k))}  |  IF  DENUM({k|DENUM({b|b<(eX 
e"k)Apair(p"(ee"k),b)(R})})  THEN  {k|DENUM({b|b<{ee,,k)Apair(p',(ee"k),bX 
>< R } ) }  ELSE  {k|-’DENUM({b|b<(ee"k)Apair(p"(ee"k),b)(R})}))cBvEDGESET(R% 
NG({bpk.b'Opair(k.p"(ee"k))}  |  IF  DENUM{{k|DENUM<{b|bc(ee"k)Apair(p,,K 
(ee"k),b)<R})})  THEN  {k|DENUM({b|b<(ee"k)Apair(p"(ee"k),bXR})}  ELSE  X 

{k|-DENUM({b|b((ee"k)Apair{p"<ee“k),b)<R})}))cR) 

#****VE  L184  {b|3k.b-opair(klP”(ee"k)){ 

*  IF  DENUM{{k|DENUM(!b|b«ee"k)Apair(pM{ee"k)(bXR5)}) 

*  THEN  {k|DENUM({b|b((ee',k)Apair(p"{ee"k),b)(R})} 

*  ELSE  {k|-DENUM({b|b((eeHk)Apair(pH(ee"k)>b)(R})}  : 

269  FNC({b|3k.b-opair(k,p“(ee“k))}):>RNG({b|3k.b«opair(k,pM(ee”k))}  |  % 

IF  DENUM({k|DENUM({b|b(<ee"k)Apair(p"(ee"k),bKR})})  THEN  {k|DENUM({biC 
|b<(ee"k)Apair(p"(eeMk),b)<R;)}  ELSE  {khDENUM({b|b<(ee"k)Apair(p',(eeX 
Mk)1b)<R})})cRNG({b|3k.b-opair(k,p"{ee”k))}) 

**#**VE  AUX23  T:«*2#l  T:#2#2  G; 

270  (RNG({b|3k.b-opair(k,p”<ee"k))}  |  IF  DENUM({k|DENUM({b|b<(ee"k)ApX 
air(p"(ee"k),b)<R})})  THEN  {k|DENUM({b|bc(ee"k)Apair(p"(ee"k),b)<R})}X 
ELSE  {k|-DENUM({b|b<(ee"k)Apair(p"(ee"k),b)(R})})cRNG({b|3k.b-opair(X 
k,pH(eeHk))})ARNG({b|3k.b-opair(k,p"(ee"k))})cG)oRNG({b|3k.b-opair(k,X 
p"(ee”k))}  |  IF  DENUM({k|DENUM{{b|b({eenk)Apair(p"(ee"k),bXR})})  THE* 

N  {k|DENUM{{b|b((ee"k)Apair(p"(ee"k),bXR}))  ELSE  {k|-DENUM({b|b<(ee"% 
k)Apair(p"(ee"k),b)<R})})cG 

****»TRY  1  USING  TAUT  48  TTT:; 

271  RNG({b|3k.b«opair<k,p"<ee"k))}  |  IF  DENUM({k|DENUM({b|b«ee"k)Apa% 
ir(p"(ee"k),bXR})})  THEN  {k|DENUM({b|b((ee"k)Apair{p“(ee"k),bXR})}  X 
ELSE  {k|-DENUM({b|b«ee"k)Apair(p,,(ee"k),bXR})})cG  (1  13  17) 


*****TRY  USING  Al; 
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Goal  *1*1*1«1«2*1:  DENlMRNG('bi3k.b«opair(k,pB(eeBk))}  |  IF  DENUM({* 
k|DENUM<{b|b<(eeBk)Apair(pB(eeBk),bXR}>})  THEN  {k|DENLM{b|b((eeBk)AX 
pair(p“{ee"k),b)<R})}  ELSE  {k|’DENUM(ib|b<.(ee"k)Apair{p"(ee"k),b)<R})X 

Goal  EDGESET(RNG({b|3k.b-opair{k,pB{eeBk))}  |  IF  DENUNTC 

({k|DENUM({b|bc(ee"k)Apair(p"(eeHk),b)<R})})  THEN  'k|DENUM({b|b<(eeBkX 
)Apair(p"(ee"k),b)(R))}  ELSE  {k|'D£NUM([b|b<(eeBk)Apair<pB(eeBk),bXRX 
})}))cBvEDGESET(RNG({b|3k.b«opair(k,p"(eeBk))}  |  IF  DENUM({k|DENlM{bX 
|b<(ee"k)Apair(p"(ee”k),bXR(>!>  THEN  {k|DENUM{{b|bc(eeBk>Apair(pB<ee,.< 
Bk),bXR})}  ELSE  {k|-'DENUM{{b|b<(ee"k)Apalr(p”<ee"k),bXR})l))cR 


**»**VE  L95  T:#l«l*l  T:*l#l»2; 


272  FNC<{b|3k.b-‘0pair<k,pB<eeBk))}):>(IF  DENUM{{k|DENUM{'b)b<(eeBk)ApaK 
ir(pM(ee"k),bXR})})  THEN  {k|DENLM!b|b<(eeBk)Apair(pH(eeBk),bXR})}  % 
ELSE  {khDENUM<{b|b<<ee"k)Apair<p”<ee"k),bXR)))cD(M{bt3k.b“Opair<k>X 
p"(ee"k»})3DOM({b|3k.b-opair(k,pB<eeBk))}  |  IF  DENUM({k|DENUM({b|b<U 
eeBk)Apair(p”(eeHk),bXR})})  THEN  {k|DENUM({b|b<(eeBk)Apair{p“(ee”k)A 
bXR})}  ELSE  {k|-DENUM{{b|b<(ee“k)Apair(p"(ee“k),bXR})})“IF  DENUM({ktf 
|DENUM({b|b<(ee"k)APair(p"(ee"k),b)<R})})  THEN  {k|DENUM({b|b((ee"k)Apl£ 
air(p"(ee"k),bXR})}  ELSE  {kHDENUM({b|b({eeBk)Apair(p"{eeBk),bXR})}) 

***»*TAUT  DENUM(1T:*1«1*2)  31; 

273  DENUMOF  DENUM({k|DENUM{!b|b((ee“k)Apair{p,,(eeMk),bXR})})  THEN  {X 
k|DENUM({b|b<(ee“k)Apair(p"(ee"k),bXR})}  ELSE  {k|-OENUW({b|b((ee"k)AX 
pair(p"(ee“k),bXR})}) 


***»*VE  AUX35  30:*2*1  30:«2«2; 

274  UNIVERSAL({k|DENUM({b|b((eeMk)APair(p"(ee"k))bXR})})3(UNIVERSAL(X 
{k|-DENUM{b|b((ee"k)Apair(p"{eeBk),b)(R})})3{{k|OENUM{{btb((ee,,k)Apa% 
ir(p“(eeBk),bXR})}c({k|OENUM({b|b<(ee"k)Apair(p"(ee"k)1bXR})}u{k[-’DX 
ENUM({b|b((ee”k)Apair(p"(eeBk)lbXR})})A{khDENUM{{b!b({eeHk)Apair(p"X 
(ee“k)1bXR})}c({k|DENUM{{b|b<(ee"k)Apair(p“{ee"k),bXRj)}u-[k|-'DENUM(X 
{b|b«ee"k)Apair(pB(ee"k),bXR})}))> 

*****EVAL  T; 

275  {k|OENUM({b|b((ee“k)Apair(pB(eeBk),bXR})}c({k|DENUM({b|b({ee,'k)AX 
pair(p"(eeBk).bXR})}u{khDENUW({b|b((ee"k)Apair(p"(ee,'k),bXR})})A{k« 
|-'DENUM({b|b((ee”k)Apair(p"(eeBk),b)(R})}c{{k|OENUM({b]b((ee"k)Apair(K 
pB(ee"k).b)(R})}u{k|-DENUM{{b|b«ee"k)Apair{p"(ee"k),b)<R})}) 

***«VE  L153  48:#1  TTT:*1; 

276  FNC({b|3k,b-opair;k)pB(eeBk))})o(FNC(CONV({b|3k.b“Opair(k,p”(eeBkX 
))}))3FNC(CONV({b|3k.b-opair{k,pB(ee"k))}  |  IF  DENUM({k|DENUM({b|b<(eX 
eBk)Apair<pB(eeBk),bXR})})  THEN  {k|DENUM{{b|b<(eeBk>Apair(pB(eeBk)(b* 
XR})}  ELSE  {k|-DENUM({b|b<(eeBk)Apair(pB{eeBk>,b)(R})}») 

*«***VE  L161  48:*  1  |  TTTT:«1; 

277  FNC({b|3k.b-opair(k,pB(eeBk))}  |  IF  DENUM<{k|DENUM({b|b«(eeBk)Apa% 
ir(p"(eeBk),bXR})})  THEN  {k|DENUM({b|b({eeBk)Apair(p"(ee"k),bXR})}  X 
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ELSE  {k|-DENUM({b|b<(eeMk)Apair{p"{ee"k),b)<R})})=>{FNC(C0NV({b|3k.b-o<( 
pair(k,pB(ee"k))}  |  IF  DENUM({k|DENUM({b|b<:<ee,'k)Apair(p,,(ee,,k)>b)<R}K 
)})  THEN  {k|OENUM({b|b<(eeHk)Apair(p"{ee“k)IbKR}))  ELSE  {khOENUM({b« 
|b«ee"k)Apair(p"(ee,,k)1b)(R})}))3CONG<OOM({b|3k.b-opair(klp"(ee"k))}« 

|  IF  DENUM({k|DENUM({b|b<{ee"k)Apair(p''{ee"k),b)<R})})  THEN  {k|DENUMX 
({b|b<(ee"k)Apair(p"(eeHk),b)<R}>}  ELSE  {khDENUM({b|b({ee"k)Apair{p"X 
(ee"k),b)cR})}),RNG({b|3k.b-opair(k>p“(ee“k))}  |  IF  DENUM({k|DENUM({bK 
|b<(ee”k)Apair(p"(ee"k),bKR}){)  THEN  {k|OENUW({b|b<(ee,,k)Apair{p"{eeX 
"k),b)cR})}  ELSE  {khDENUW<{b|b<(ee,'k)Apair{p,,{ee“k),b)<R})}))) 

♦♦♦♦♦VE  AUX34  271:#1#1#2  271:#1; 

278  (DENUMdF  DENUM({k|DENUM({b!b<(ee',k}Apair(p,'(ee"k),b)<R5)})  THEN  X 
{k|DENUM{{b|bc(eeHk)Apair{p"(ee"k),b)<R})}  ELSE  {khDENUM({b|b<(ee"k)K 
Apair(p"(ee"k),b)<R})})ACONG{IF  DENUM('k|DENUM({bjb((ee,,k)Apair(p"(eeK 
"k),b)<R})])  THEN  {k|DENUW({b|b((ee"k)Apair(p"(ee,'k),b)(R})}  ELSE  {k|X 
->DENUM({b|b<(ee"k)Apair(p"{eeHk),b)<R})},RNG({b|3k.b“Opair(k1pu(ee”k),>( 

)}  |  IF  DENUM({k|DENUM{{b|b<{ee"k)Apair(p"{ee"k),b5<R})})  THEN  {k|DEN% 
UM({b|b((ee"k)Apair(p"(ee"k),b)(R})}  ELSE  {kbDENUM({b|b<(ee"k)Apair(X 
p"(ee"k),bKR})})))=DENUM(RNG({bpk.b-opair(k,p"(ee,,k))}  |  IF  DENUM({X 
k|DENUM({b|b<(ee"k)Apair(p"(ee”k),b)<R})})  THEN  {k|DENUM<{b|b«ee"k)A% 
pair(p"(ee"k),b)<R})}  ELSE  {khOENUM{{b|b<(ee"k)Apair(p"(ee"k),b)cR})}» 

♦♦♦♦♦VE  L41  48:#  1  273:4*1; 

279  FNC({b|3k.b-opair(k,p"(ee''k))))3FNC({b|3k.b“0pair(k,p”(ee"k))}  |  X 

IF  DENUM({k|DENLM{b|b<{ee"k)Apair(p’,(ee"k),b)<R})})  THEN  {k|DENUM({b|b<* 
(eeMk)Apair(pH(ee”k),b)<R})}  ELSE  {kbDENUM({blb<(ee“k)Apair(p"(ee,,k)ibXR})}) 

♦♦♦♦♦REWRITE  t  BY  {48}uL0GICTREE; 

2  substitutions  were  made 


280  FNC({b|3k.b-opair(k,p"(ee,’k))!  |  IF  DENUM({k|DENUM({b|b«ee“k)ApaX 
ir(p"(eeHk),b)<R})})  THEN  {k|DENUM({b|bc(ee"k)Apair(p"(ee"k),b)cR})}  X 
ELSE  {k|->DENLM{b|b<(eeHk)Apair(p"(ee"k),b)<R})}) 

♦♦♦♦♦TAUT  268:#  1  268; 

281  FNC(CONV({b|3k.b-opair(k,p"(ee"k))}))  (1  13  17) 

♦♦♦♦♦TAUT  268:#2#1  268; 

282  DOM({b|3k.b-opair(k,p"(ee”k))})-omega  (1  13  17) 

♦♦♦♦♦REWRITE  276  BY  {48  TTJuLOGICTREE; 

4  substitutions  were  made 

283  FNC(CONV({b|3k.b-opair(k,p'Vee"k))}  |  IF  DENUM({kjDENUM({b|b<(ee"X 
k)Apair(p"(ee"k),b)(R})})  THEN  {k|DENUM<{b|b<(ee"k>Apair(p"(ee"k>,bX% 
R})}  ELSE  {k|->OENUM({b|bc(ee"k)Apair{p"(ee"k),bXRJ)}))  <1  13  17) 

♦♦♦♦♦REWRITE  277  BY  (280  tJuLOGICTREE; 
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A  substitutions  were  made 

284  C0NG<D0M<{b|3k.b-opair(k,p"<ee"k))}  |  IF  DENUM({k|DENUM({b|b<(ee"% 
k)Apair(p"(ee"k),b)(R})})  THEN  }k|DENUM({b|b«ee"k)Apair(p"(eeNk),b)<X 
RJ)J  ELSE  {khDENUM({b|b<(eeHk)Apair{p"(ee"k),bKR}}})1RNG{{b(3k.b-opX 
air(k,p“(ee"k))}  |  IF  DENUM({k|OENUM({b|b((ee“k)Apair(p"(eeHk)1bKR}W 

})  THEN  {k|DENUM<{b|b((ee"k)Apair(p"{eeMk),b)<R})}  ELSE  {khDENUM({b|X 
b<(ee"k)Apair(p"(ee"k),bKR})}))  (1  13  17) 

♦♦♦♦♦SUBSTR  30  IN  275; 

285  WDENUM({b|b<(ee"k)Apair(p"(ee"k),b)<R})}come&aA{kl->DENllM({b|b<0( 
ee"k)APair(pH(ee"k),b)<R})}comega 

♦♦♦♦♦TAUT  T:#l  Ti 

286  {k|DENUM({b|b<(ee"k)Apair(p,'(ee"k),b)<R})}comega 
♦♦♦♦♦TAUT  TT;*2  TT; 

287  {k|-’DENUM({b|b<(ee''k)Apair(p"(ee"k),b)<R})}comega 
♦♦♦♦♦REWRITE  272:*2*1  BY  {282  TT.tJuLOGICTREEuARGIFTREE; 

9  substitutions  were  made 

288  IF  OENUM({k|DENUM({b|b((ee”k)Apair(p"(ee“k),b)cR})})  THEN  {k|DENUX 
M({b|b((ee"k)APair(p"(ee"k),b)<R})}  ELSE  { k|->DENUM(  {b  |b((ee*k)Apair(pX 
"(ee',k),b)<R})}cDOM({b|3k.b-opair(k,pM(ee”k))})  (1  13  17) 

♦♦♦♦♦REWRITE  272  BY  {48  TJuLOGICTREE; 

4  substitutions  were  made 

289  DOM({b|3k.b-opair(k,p"(ee“k))}  { IF  DENUM( {k|0ENUM( (b|b< (ee "k )APaX 
ir(p"(ee"k)1bXR})})  THEN  {k|DENUM({b|b«ee"k)Apair(p"(ee"k),bXR}»  X 
ELSE  {k|->DENUM({b|b<(ee"k)APair(p"<ee"k),bXR})})-IF  DENUM({k|DENUM({X 
b|bc(ee"k)APair(p"(ee"k).b)cR})})  THEN  {k|OENUM({b|b<(ee"k)Apair(p"(e% 
e"k),b)<R})}  ELSE  {khDENUM({b|b«ee“k)Apair(p"(ee"k).b)<R})}  (1  13  17) 

♦♦♦♦♦REWRITE  284  BY  {TJ; 

1  substitutions  were  made 

290  CONGOF  DENUM({k|DENUM{{b|b<{ee"k)Apair(p"{ee"k))b)(R})})  THEN  {kX 
|OENUM({b|b((ee"k)Apair(p''(ee',k),bXR})}  ELSE  {kK>ENUM({b|b<(ee"k>ApX 
air(p"(ee"k),bXR})},RNG{{b|3k.b"Opair(k,p''{ee"k))}  |  IF  DENUM({k|DENX 
UM({b|b<(ee"k)Apair{p"(ee"k),b)<R})})  THEN  {k|DENUM({b!b«ee"k)Apair(X 
p"(ee”k),bXR})}  ELSE  {k|-OENUM<{b|b((eeMk)Apair{p"(ee”k)>bKR})}))  (1  13  17) 

♦♦♦♦♦REWRITE  278  BY  {273  TJuLOGICTREE; 

4  substitutions  were  made 
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291  DENUM(RNG{{bPk.b=opair{k,p''(eeBk))}  |  IF  DENUM<{k|DENUM({b|b«(ee* 
"k)Apair(p"(ee"k),b)(R})})  THEN  {k|DENUM({b|b<(eeBk)Apair(p"(eeHk),b)K 
<R»}  ELSE  {kj-’DENUM({bib<(ee”k>Apair(p"(ee"k>,b)<R}>}»  (1  13  17) 


*«**QEO  #1#1#1»1#2#1; 

****»VE  RNG  {bPk.b«opair(k,p"(ee"k))}  | 

*  IF  DENUM({k|DENUM({b|b<(ee"k)Apair(pB(ee“k),b)<R})}) 

*  THEN  {k|DENUW{{b|bc(ee"k)Apair(p"<ee"k),bKR})} 

*  ELSE  {k|->OENUM{{b|b({ee"k)Apair(p‘'(ee"k),b)(R})} ; 

292  FNC({bPk.b-opair(k,p"(ee"k))}  |  IF  DENUM({k|DENUM({bjb((ee"k)Apa^ 
ir(pM(ee"k),b)<R})})  THEN  {k|DENUM({b|bc(ee"k)Apair(p',(ee"k),bXR})}  X 
ELSE  {k|-.DENUM({b|b({ee"k)Apair(p,,(ee"k)1b)(R})})=RNG({bPk.b«opair{k5i 
.pVe-k))}  |  IF  DENUM{{k|DENUM({b|b<(ee,,k)Apair(p',{eeBk),bXR})})  THX 
EN  {k|DENUM({b|b((eeMk>Apair(pB<ee"k),b)<R}}}  ELSE  {khDENUW({b|b((ee'<( 
"k)Apair(p"(ee"k)(bXR})})“{cPa.opair{a,c)<<{bpk.b=opair(k,p“(ee''k)X 
)}  |  IF  DENUM({k|DENUM({b|b<(eeBk)Apair(p"<ee"k),bXR})})  THEN  {k|DENK 
UM({b|b<(ee''k)Apair(p"{ee"k),b)cR})}  ELSE  {khDENUM({b|b<(eeBk)Apair(X 
p',(ee"k),bXR})})} 


*«**VE  L41  t:#l#l*l  t:*l*l«2; 

293  FNC({bPk.b-opair(k1p"(ee"k))})oFNC(lbPk.b»opair{k,p“(ee"k))}  |  IF  X 
DENUM({k|DENUM({b|b«ee"k)Apair{p"(ee,,k),b)<R})})  THEN  {k|DENUM({b|b« 
(ee"k)APair(pH(ee"k).bXR})}  ELSE  {khDENUM({b|b<(eeBk)npair(pB(eeBk),b)<R})}) 

**«*VE  RESTR  Tt:*l#Ul  tt:«l*l#2; 

294  FNC({bPk.b-opair(k1p"(ee"k))})3({bpk.b-Opair{k.p”(ee”k))}  |  IF  X 
D£NUM({k|DENUM({b|b((ee"k)Apair{p"(ee"k),b)(R}}})  THEN  [k|DENUM([b|b(5i 
(ee"k)Apair(p"(ee"k),b)(R})}  ELSE  {khDENUM(!b|bc<eeBk)Apair(pB(eeBk)% 
1bXR})})-({bPk.b-opair<k1p,,{ee,,k)))nCROSS(IF  DENUM<{k|DENUM<{b|b«eK 
e"k)Apair(p"(ee*k),b)<R})})  THEN  {k|DENUM({b|b<(ee"k>Apair{p,,(ee,,k),b* 

)<R})}  ELSE  {k|-’OENUM({b|b<(ee”k)Apair{pB(ee"k),bXR})},V)) 

*****REWRITE  Tt  BY  {48}uL0GICTREEi 

2  substitutions  were  made 

295  FNC({bPk.b-opair(k,pB(ee"k))}  |  IF  DENUM('k|DENUM({b|b<(eeBk)ApaX 
ir(p“(ee"k),b)cR})})  THEN  [k|DENUM({b|b«ee"k)Apair(pB(eeBk))bKR})}  X 
ELSE  {k|-DENUM{{b|b((ee"k)Apair(p”{eeBk),bXR})}) 

*****REWRITE  tt  BY  {48}uL0GICTREE; 

2  substitutions  were  made 

296  ({bpk.b-opair(k,pB(ee"k))}  |  IF  DENUM({k|DENUM({b|bc(ee"k)Apair(X 
pB(ee"k),b)<R})})  THEN  {k|OENUM({b|b«eeBk)Apair<p"(ee"k),b)<R))}  ELSX 
E  {k|-DENUM({b|b<(eeBk)Apair(pB(ee"k),b)<R})}M{bPk.b-opair(k,pB(ee,/{ 
"k))}nCROSS<IF  DENUM({k|OENUM{(b|b((ee"k)Apair(pB(ee,,k)1bXR})J)  THENX 

{k|DENUM({b|bc(ee"k)Apair(pB(eeBk)lb)(R})}  ELSE  {khDENUM({b|b<(ee"kX 
)Apair(p"(ee"k),b)<R})},V)) 
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*****REWRITE  tmt  BY  {TT)uLOGICTREE; 

2  substitutions  were  made 

297  RNG({b|3k.b-opair(k,p"(ee',k))}  |  IF  DENUM({k|DENUM({b|b((ee"k)ApaX 
ir(p’’(eeHk),b)(R})})  THEN  {k|DENUM({b|b<<ee"k)Apair(p*(ee"k),bXR}>}  X 
ELSE  {k|-DENUM({b|b<(ee’,k)Apair(p"(eeHk)lb)<R})})-{c|3a.opair{a,cK({X 
b|3k.b=opair(k.p”(ee"k))}  |  IF  DENUM<{k|DENUM({b|b<(eeBk)Apair(p”(ee"X 
k),b)(R})})  THEN  {k|DENUM({b|b((ee"k)Apair(p"(ee“k)1b)(R})}  ELSE  {k|-X 
DENUM({b|b<(eeMk)Apair(p"(ee”k),b)(R})})} 

*****TRY  USING  REWRITE  BY  {T.TTJi 

Goal  «1#1#1#1#2#2#]:  EOGESET({c|3a.opair(a,c)<({b|3k.b-=opair(k,p“(ee/< 
"k))}nCROSS(IF  DENUM({k|DENUM({b|b<(eeBk)Apair(pB(eeBk),b)<R})})  THENK 
{k|DENUM{{b|bc(ee”k)Apair(p"(ee"k)>b)(R})}  ELSE  {k|'DENUM({b|b<(ee"kX 
)Apair(p"(ee"k),b)(R})},V))})cBvEDGESET({c|3a.opair(a,c)(({b|3k.b«opaX 
ir(k,p"(ee"k))}nCROSS(IF  DENUM({k|DENUM({b|b<(ee"k)Apair(p"(ee"k),b)« 
R})}>  THEN  {k|DENUM({b|b<(ee"k)Apair(p"(ee”k),b)<R})}  ELSE  {k|-DENUM(t£ 
{b|b<(ee"k)Apair(p"(ee”k),b)<R})},V))})cR 

*****TRY  USING  IFCASES  DENUM({k|DENUM({b|b<ee“kApair(p"(eeHk),bXR})})i 

Goal  #  1  #  1 « 1  «  1  #2#2#  1  #  1 :  DENUM({k|DENUM({b|b<(eeBk)Apair(pB(eeBk),bXR1< 
})})3(EDGESET({c|3a.opair(a>cX({b|3k.b«opair(k,p"(ee"k))}nCROSS(IF  0% 
ENUM({kiDENUM(jb|b«ee"k)Apair{p,,(ee”k).bXR})})  THEN  {k|DENUM({b|b<« 
ee”k)Apair(p"(ee"k),bXR})}  ELSE  {khDENUM({b|b<(ee"k)Apair(p"(ee"k),X 
bXR})},V))})cBvEDGESET({c|3a.opair(a,cX({b|3k.b-opair(k,p"(ee"k))}nt( 
CROSSdF  DENUW({k|DENUM({b|b<(ee''k)Apair(p”(ee”k),bXR}>})  THEN  {k|DEX 
NUM({b|b<(ee”k)Apair(p"(ee"k),bXR})}  ELSE  {kbDENUM({b|b((eeBk)ApairK 
(pH(ee"k),bXR})},V))})cR) 

Goal  #  1  #  1  #  1  #  1  #2#2#  1  #2:  -DENUM({k|DENUM({b|bc(ee"k)Apair(p"(ee"k),bXt{ 
R})})=(EDGESET({c|3a.opair(a1cX({b|3k.b*=opair(k,p"(ee"k))}nCROSS(IF  X 
DENUM({k|DENUM({b|b((ee"k)Apair(p“(ee“k),bXR})})  THEN  {k|DENUM({b|b<K 
(ee"k)Apair(pn(ee"k),bXR})}  ELSE  {kbDENUM({b|b<(eeBk)Apair(pB(eeBk« 
IbXR})},V))})cBvE0GESET({c|3a.opair(a,cX({b|3k.b“Opair(k1p"{ee"k))}1{ 
nCROSSOF  DENUM({k|DENUM({b|b((ee,'k)Apair(p"(ee“k),bXR}>}>  THEN  {k|DX 
ENUM({b|b<(ee"k)Apair(p“(ee"k),bXR})}  ELSE  {khDENUM({b|b((ee"k)ApaiX 
r(pH(ee,,k)IbXR})},V))})cR) 

Goal  #1  #  1  »i #  1  tt2«2*l #1  #1:  EDGESET({c|3a.opair(a,cX({b|3k.b=opai.,'(kppK 
"(ee"k))}nCROSS(IF  DENUM{k|DENUM('b|b<(eenk)Apair(pB(eeBk),DXR})}>  X 
THEN  {k|DENUM({b|b<(ee“k)Apair(p"(ee''k),bXR})}  ELSE  {kbDENUM({b|b<OC 
ee''k)Apair(p"(ee“k)1bXR})},V))})cBvEDGESET({c|3a.opair(a1cX({bi3k.bii 
•>opair(k,p”(ee"k))}nCROSS(IF  DENUM({k|DENUM({b|b<(ee"k)Apair(p"(ee"k» 
,bXR})})  THEN  {k|DENUM([bib«ee"k)Apair(p"(ee"k),bXR})}  ELSE  {kbDEK 

NUM({b|b((ee"k)Apair(p"(ee”k),bXR})},V))})cR 

298  DENUM({k|DENUM({b|b«ee"k)Apair(p"(eenk),bXR})})  (298) 

Goal  #1«1«1#1#2#2#1#1*1»1:  EDGESET({c|3a.opair(a,cX({b|3k.b=opair(kX 

Ip"(ee',k))}nCROSS({k|DENUM((b|b((ee“k)Apair(p"(ee"k),bXR})},V))})cBvK 

EDGESET({c|3a.opair(a,cX({b|3k.b“Opair(k1p,'(ee"k))}nCROSS({k|DENUM({t£ 

b|b<(ee"k)Apair(pn(eeHk),b)(R})},V))))cR 

Goal  #  1  «*  1  #  1  <»  1  #2#2«  1  #2#1 :  EDGESET({c|3a.opair(a,cX({b|3k.bcopair(k,pK 
"(ee*’k))}nCROSS(IF  DENUM({k|DENUM{{b|b<(eeBk)Apair(pB(eeBk>)bXR})})  X 
THEN  {k|DENUM{{b!b{(ee"k)Apair(p”(ee"k),bXRj)}  ELSE  {khDENUM({b|b<(% 
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ee"k)Apair(p"(ee"k),bXR})},V))})cBvEDGESET({cpa.opair(a,cX({bpk.b1£ 
-opair(k,p"(ee"k))}nCROSS(IF  DENUM({k|D£NUM({b|b<(ee,,k)Apair(p“(ee*,k)* 
,bKR})})  THEN  {klDENUM({b|b<(ee"k>Apair(p”{ee"k).b)<R})}  ELSE  {kK>EX 
NUM({b|b<(ee"k)Apair{p’,(ee“k),b)(R})},V))})cR 

299  ■•DENUM({k)DENUM({b|b<{ee"k)Apair{p“{ee"k)1b)<R})})  {299) 

300  DENUM({klDENUM({b!b<{ee"k)Apair(p”{ee"k),b)<R})})*FALSE  (299) 

Goal  »1*1«1*1«2*2»1»2*1»1:  EOGESET({c|3a.opair(a,c)<{{b|3k.b>opair(kX 
,p"(ee“k))}nCROSS({k|-DENUM({b|b<(ee"k)Apair(p"{ee"k)1b)<R})},V))})cBi{ 
vEDGESET({c|3a.opair(a,cX({bPk.b-opair(k,p"<ee"k))}nCR0SS({kbDENUM* 
({b|bc(ee"k)Apair(p"(ee"k),b)<R})}lV))})cR 

*****TRY  USING  ORI  li 

Goal  *1*1#1*1#2#2#1*2#1#1#1:  EDGESET({cpa.opair(a,cX({bpk.b»opair)£ 
(k,p"(ee"k))}nCROSS(ikhDENUM{ib|b<(ee“k)Apair(pH{ee“k),b)(R})},V))})cB 

*****TRY  USING  REWRITE  BY  {EDGESET  AUX27  AUX25  CROSS  V  SUBSET  AUX5}i 

Goal  *1*1#1#1*2*2*1«*2*1#1#1#1:  Vc1.(($ET(c1)a3c  dl.{(SET(c)A3a.(((SEX 
T(a)ASET{c))A3k.(a-kAc-(p"(eeNk))))A((SET(a)ASET{c))A3d  e.{(a«dAc-e)AX 
((NATNUM(d)A-'DENUM({b|b<(eeMd)Apair(p,‘(ee,,d),b)<R5))ASET(e))))))A((SE1C 
T(d  1  )A3a.(((SET(a)ASET(d  1  ))A3k.(a«kAd  1  «=(p,'(ee,,k))))A((SET(a)ASET(dl ))X 
A3d  e.((a-dAdl»e)A((NATNUM(d)A-DENUM({b|b<(ee"d)Apair(p"(ee"d),b)<R})% 
)ASET(e))))))AWc-d  1  )ac  1  -pair(c,d  1  )))))oc  1<B) 

*#***TRY  *1»1*1*1*2«2»U1#1#1  USING  ORI  2; 

Goal  #  1  *  1  n  1 * 1  #2*2#  1  *  1  *  1  #  1  *»l :  EDGESET({cpa.opair(a,c)c({bpk.b>»opair)£ 
(k,p"(ee"k))}nCROSS({k|DENUM({b|b((ee"k)Apair{p"(ee"k),b)(R})},V))})cR 

*««TRY  USING  REWRITE  BY  {EDGESET  AUX27  AUX25  CROSS  V  SUBSET  AUX5); 

Goal  #1*1#1*1*2*2«1«1*1*1«1*1:  Vc1.((SET(c1)a3c  dl.((SET(c)A33.(((SE*<C 
T(a)ASET(c))A3k.(a-kAC-(p"(ee"k))))A((SET(a)ASET(c))A3d  e.((a-dAc-e)A* 
((NATNUM(d)ADENUM({b|b<(ee''d)Apair{p"{ee"d)1b)(R}))ASET(e))))))A((SET« 

(d  1  )A3a.(«SET(a)ASET(d  1  ))A3k.(a-kAd  1  -{p”(ee"k))))A{{SET(a)ASET(d  1  ))a  X 
3d  e.((a-dAdl-e)A((NATNUM(d)ADENUM({b|b<(ee,,d)Apair(p’,<ee"d),b)<R}))AX 

SET(e))))))A(-<c«d  1  )ac  1  -pair(c,d  1  )))))=>c  KR) 

*****GOAL  Vi  j.(i  LT  jalF  DENUM({blb<eeMiApair(p"<ee"i),bXR}) 

*  THEN  pair(p"(ee"i),p"(ee"j)XR 

*  ELSE  peir(p"(ee“i),p"(ee'"j))(B  ); 

Goal  *14:  Vi  j.(i  LT  jolF  DENUM({b|b<<ee"i)Apair(p',<ee"i),bXR}>  THEN  X 
pai r ( p"(ee"i ),p"(ee"j ))( R  ELSE  pair<p"<ee"i),pH{ee"j)XB) 

*****TRY  USING  ELIMINATION; 

Goal  «14*1:  i  LT  j=>IF  DENUM{'b!b«ee"i)Apair{p“<ee"i),bXR})  THEN  paX 
ir(p"(ee"i),p,,{ee"i)XR  ELSE  pair{pH{ee,,i)1p"(ee"j)XB 
Goal  «14«1«1:  IF  DENUM{{b|b({ee"i)Apair(p,'(ee"i),bXR})  THEN  pair(p"* 
(ee’Up'WjJXR  ELSE  pair(p"(ee"i).pB(ee“j)XB 
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»****PREPARE; 

301  i  LT  j  (301) 

**#**VE  165  i  jj 

302  i  LT  p(ee"j)c(ee"SUC(i))  (1  13  17) 

*****TAUT  T:#2  TT:j 

303  <ee"j)c(ee"SUC<i)>  (1  13  17  301) 

*****REWRITE  t  BY  {SUBSET  SUCI}; 

2  substitutions  were  made 

304  Vc.(c<(ee"j)Dc<IF  DENLM{b|b<(ee*i)Apair(p7ee“i)1bXR})  THEN  {b|!i 
b<(ee"i)Apair(p"(ee"i),b)<R}  ELSE  {b|b<(ee"i)Apair(p"(ee"i),bXB})  (1  13  17  301) 

***«*VE  t  p"(ee"j); 

305  (p"<ee"j)X<ee"jMp"<ee"j)XIF  OENUM({b|b<(ee"i)Apair(p"(ee"i),b« 

XR})  THEN  {b|bc(ee"i)Apair(p”(ee"i),bXR}  ELSE  {b|b<(ee"i)Apair(p"(eX 
e"i),bXB}  (1  13  17  301) 

««**REWRITE  T  BY  {PINEEJuCOMPTREEuLOGICTREEuARGlFTREEuWFFIFTREE; 

6  substitutions  were  made 

306  (0ENUM({b|b((ee,,i)Apair(p"(ee”i)>bXR})3(SET(p"(ee"j))A«p"(ee"j)« 
((ee"i)Apair(p"(ee"i)(p"(eeHj)XR)))A(-DENUM({b|b<(ee"i)Apair(p’,(ee"i),b))( 
<R})o<SET(p"(eeMj))A((pH(eeHj)X(ee"i)Apair(p"(ee"i),p"(ee’,j)X8)))  (1  13  17  301) 

*****TRY  USING  TAUT  T; 

307  IF  DENUM({b|b((ee"i)Apair(p"(ee"i),b)(R})  THEN  pair(p"(ee"i),p"(eX 
eMj)XR  ELSE  pair(p"(eeMi),p"(ee"j))<8  (1  13  17  301) 

308  i  LT  j=»IF  DENUM({b|b({ee"i)Apair{p"(eeHi).b)<R})  THEN  pai r{p"{eeBX 
i),p"(ee"j)XR  ELSE  pair(pH(ee"i),p"(eeBj)XB  (1  13  17) 

309  Vi  j.(i  LT  j3lF  DENUM({b|b<(ee“i)Apair(p"(ee"i),bXR})  THEN  pair(X 
p"(ee"i),p"(ee"j))<R  ELSE  pair(pB(eeBi),pM(eeMj))<8)  (1  13  17) 


*****TRY  «l*UUU2a2i»lal«l*l#Ul  USING  ELIMINATION; 

Goal  *1*1*1«1«2«2*1«1*1*1*1«*1*1:  (SET(c1)a3c  dl.((SET(c)A3a.(((SET(aK 

>ASET(c))A3k.(a-kAC-(p"(ee"K))))A((SET(a)ASET(c))A3d  e.((a-dAC-e)A((NX 

ATNUM(d)ADENUM(jb|b((ee"d)Apair(p”(eeHd).bXR}))ASET!e))))))A((SET(dU 

)A3a.(((SET(a)ASET(d  1  ))A3k.(a-kAd  1  -(p"(eeHk))))A((SET(a)ASET(d  1  ))A3d  % 

e.((a-dAdl-e)A((NATNUM(d)AOENUM(fb|b((ee"d)Apair(p"(ee"d),bXR}))ASETX 

<«»)»)  A^c-d  1  )ac  1  -pair(c,d  1  )))))=»c  1<R 

Goal  al«l«l«l*2a2*l*l*l«l«lal«l*l:  cl(R 
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♦♦♦♦♦PREPARE1, 

310  SET(c1)a3c  dl.((SET(c)A3a.((<SET(a)ASET(c))A3k.(a«kAc«=(p"(ee,,k)))K 
)A((SET(a)ASET(c))A3d  e.((a«dAc-e)A((NATI\IUM(d)ADENUM({b|b<(eeMd)Apair% 
(p"(ee"d),bKR}))ASET(e»»))A((SET(dl)A3a.(((SET{a)ASET{dl))A3k.(a-kX 

Ad  1  -(pH(ee"k))))A((SET(a)ASET{d  1  ))A3d  e.((a«dAd  1  »e)A((NATNUM(d)ADENUMK 
({b|b<(ee"d)Apair(p"(ee"d),b)cR}))ASET(e))))))A(^c-dl)Acl-pair(c,dl))))  (310) 

311  3c  dl.((SET(c)A3a.{((SET(a)ASET(c))A3k.(a-kAc=(p"(ee"k))))A((SET(% 
a)ASET(c))A3d  e.((a«dAc«e)A((NATNUM(d)ADENUM({b|b<(ee,'d)Apair(p,,(ee"dX 
),b)<R}))ASET(e))))))A((SET(d  1  )A3a.(((SET(a)ASET(d  1  ))A3k.(a-kAd  1  -<p"(X 
ee"k))))AUSET(a)ASET(dl))A3d  e.((a«dAdl-e)A(<NATNUM(d)ADENUM({blb<(e)< 
e*'d)Apair(pH(ee"d),b)<R}))ASET(e))))))AWc-dl)Acl-pair(c,dl))»  (310) 

312  SET(cl)  (310) 

♦♦♦♦♦ES  TT  c  d 1 ; 

313  (SET(c)A3a.(((SET(a)ASET(c))A3k.(a=kAc«(p"(ee,'k))))A((SET(a)A$ET(tf 

c))A3d  e.((a-dAc-e)A((NATNUM(d)ADENUM({b|bc(ee"d)Apair(p"(ee,,d)1b)€R}« 
))ASET(e))))))A((SET(dl)A3a.(((SET(a)ASET(dl))A3k.(a-kAdl=(p"(ee"k))« 
)A((SET(a)ASET(dl))A3d  e.((a«=dAdl*=e)A((NATNUM(d)ADENUM({b|b<(ee"d)ApaK 
ir(p"(ee"d),bKR}))ASET(e))»))AHc-dl)Acl-pair(c,dl)))  (313) 

♦♦♦♦♦ADDFACT S  *1*1 *1*1 *2*2*1 *1*1 #1*1 #1*1*1  ASSUME  Tj 

Goal  *1*1 *1*1 *2*2*1 *1*1 *1*1*1 *1*1:  cl(R 

♦♦♦♦♦PREPARE; 

31 A  cl-pair(c.dl)  (313) 

315-(c-dl)  (313) 

3 1 6  3a.(((SET(a)ASET(d  1  ))A3k.(a«kAd  1  «(p“(ee,'k))))A((SET(a)ASET(d  1  ))A3d  e.X 
((a-dAdl-e)A((NATNUM(d)ADENUM('b|b((ee"d)Apair(p"(ee"d),b)<R}))ASET(e)))))  (313) 

317  SET(dl)  (313) 

318  3a.(((SET(a)ASET(c))A3k.(a=kAc-(p"(eeMk))))A((SET(a)ASET(c))A3d  e.X 
((a-dAc-e)A((NATNUM(d)ADENUM({b|b((ee"d)Apair(pM(eeBd),b)<R}))ASET(e)))))  (313) 

319  SET(c)  (313) 

320  c-dl«FALSE  (313) 

♦♦♦♦♦ES  316  a; 

32 1  <(SET(a)A$ET(d i ))A3k.(a«kAd  1  -<p"(ee"k))))A«SET(a}ASET<d  1  ))A3d  e.X 
«a-dAdl-e)A((NATNUM<d)ADENUM({b|b((ee"d)Apair(p"(ee"d),b)(R}»ASET(e))))  (321) 

♦♦♦♦♦ES  318  a  1; 

322  ((SET(a  1  )ASET(c))A3k.(a  1  -kAC-(p"(ee"k))))A((SET(al )ASET(c))A3d  e.X 
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((al-dAc-e)A((NATNUM(d)ADENUM{Ib|b«ee"d)Apair(p“(ee“d},b)<R})>ASET(e))))  (322) 
#****ADDFACTS  »1«1»1»1«2»2*1*1»1*1*1«1«1«1  ASSUME  T,TT; 

Goal  *1*1»1«1*2«2«1«1*1«1»1*1#1«1:  cl(R 
**«**PREPARE; 

323  3d  e.((al-dAC-e)A((NATNUM(d)ADENUM({b|b<(ee“d)APair(p,,(ee,,d),bXR}))ASET(e)))  (322) 

324  SET(c)  (313) 

325  SET(al)  (310) 

326  3k.(a  1  -Kac  «(p"(ee"k)))  (3 1 0) 

327  SET(c)  (310) 

328  SET(al)  (310) 

329  3d  e.((a-dAdl-e)A((NATNUM(d)ADENUM({b|b((ee,,d)Apair(p”(ee"d),b)(R}))ASET(e)))  (321) 

330  SET(dl)  (313) 

331  SET(a)  (310) 

332  3k.(a-kAdl-(p"(ee"k)))  (310) 

333  SET(dl)  (310) 

334  SET(a)  (310) 

♦****ES  323  d  ei 

335  (al-dAc-e)A((NATNUM(d)ADENUM({b|b<(ee"d)Apair(p"(ee"d),b)<R}))A$ET(e))  (335) 
♦****ES  326  k; 

336  al-kAC-(p"(ee"k))  (336) 

****«ES  329  d2  e2i 

337  (a-d2Aai-e2)A((NATNUM(d2)ADENUM({b|b<(ee"d2)Apair(p',(ee"d2),bXR}))ASET(e2))  (337) 
t****ES  332  j; 

338  a-jAdl-(p"(ee"j))  (338) 

*****TAUTEQ  c-p"(ee"k)  335:; 

339  c-(p"(ee"k))  (310  313  322  336) 
m***TAUTEQ  dl-p"(ee"j)  335:; 
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340  dl— <p"<ee**j))  (310  313  321  338) 

♦♦♦♦♦TAUTEQ  d2-j  335:; 

341  d2-j  (310  313  321  337  338) 

♦♦♦♦♦TAUTEQ  d-k  335:; 

342  d-k  (310  313  322  335  336) 

♦♦♦♦♦TRY  USING  REWRITE  BY  {314  TTTT.TTT}; 

Goal  *1*1*1#1#2«2«1*1#1*1#1#1«1*1«1:  pair(p"(ee"k),p"(ee"j)KR 
♦♦♦♦♦ASSUME  K—j; 

343  k-j  (343) 

♦♦♦♦♦REWRITE  339  BY  {T}; 

1  substitutions  were  made 

344  c-(p"(ee"j))  (310  313  322  336  343) 

♦♦♦♦♦TAUTEQ  FALSE  315  340  T; 

345  FALSE  (310  313  321  322  336  338  343) 

*****-•1  T  343; 

346  -(k-j)  (310  313  321  322  336  338) 

♦♦♦♦♦REWRITE  335  BY  {342}; 

4  substitutions  were  made 

347  (al-kAc-e)A((NATNUM{k)ADENUM{{b|b((ee,,k)Apair(pH(ee',k),bKR}))ASE% 
T(e))  (310  313  322  335  336) 

♦♦♦♦♦REWRITE  337  BY  {341}; 

4  substitutions  were  made 

348  (a-jAdl-e2)A((NATNUM(j)A0ENUM({b|b((ee"j)Apair(p"(ee"j),bHR}))AS% 
ET(e2))  (310  313  321  337  338) 

♦♦♦♦♦REWRITE  m  BY  {LESS2}; 

1  substitutions  were  made 

349  k  LT  jvj  LT  k  (310  313  321  322  336  338) 

♦♦♦♦♦VE  309  k  j; 
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350  k  LT  jsIF  DENUM({b|b<(ee“k)Apair(p"(ee"k),b)(R})  THEN  pair(pB(ee"X 
k),p-(ee"j)KR  ELSE  pair(pB(eeBk),pB(eeBj)XB  (1  13  17) 

***«VE  309  j  kj 

351  j  LT  kolF  DENUM({b|b<(eeBj)Apair(pB(eeBj),bXR})  THEN  pair(pB(eeBX 
p"(ee"k))(R  ELSE  pair(pB(ee“j),pB(eeBk)XB  (1  13  17) 

♦****VE  AUX24  p"(ee"k)  pB(ee"j); 

352  pair(p"(eeMk),p"(ee"j))«pair(p"(eeMj),p"(ee"k)) 

*****TAUTEQ  T:*1(R  TTTTTT:; 

353  pair(p”(ee"k),p"(ee"j))(R  (1  13  17  310  313  321  322  336  338) 
*****QED; 


354  cl(Rspair(p"(ee"k),p"(ee"j))<R  (310  313  321  322  336  338) 

355  cl<R  (1  13  17  310) 

356  (SET(c1)a3c  dl.((SET(c)A3a.(((SET(a>ASET(c))A3k.(a=kAc«=(pB(eeBk))X 
))A((SET(a)ASET(c))A3d  e.((a»dAc=e)A((NATNUM(d)ADENUM({b|b<(eeBd)ApaiX 
r(p"(eeHd),b)CR}))ASET(e))))))A((SET(dl)A3a.(((SET(a)ASET(dl))A3k.(a=!( 

kAd  1  =(p"(ee"k))))A«SET(a)ASET(d  1  ))A3d  e.((a-dAd  1  -e)A«NATNUM(d)ADENUX 
M({b|b<(eeBd)Apair(p"(eeBd),bKR}))ASET(e))))))AHc-dl)Acl-pair(c1dl« 
»»)=>cl(R  (1  13  17) 

357  Vc  1  .((SET(c  1  )a3c  d  1  .((SET(c)A3a.«(SET(a)ASET(c))A3k.(a-kAc-(p"(eX 
eBk))))A((SET(a)ASET(c))A3d  e.((a«dAc-e)A((NATNUM(d)ADENUM({b|b<(ee"dX 
)Apair(pB(eeBd),bKR}))ASET(e))))))A((SET(dl)A3a.(((SET(a)ASET(dl))A3!( 
k.(a-kAd  1  -(pB(eeBk))))A((SET(a)ASET(d  1  ))A3d  e.((a-dAd  1  «e)A((NATNUM(t )% 
ADENUM({b|b<(eeBd)Apair(pB(eeBd),bKR}))ASET(e))))))A(-^c-d  1  )ac  1  -pair  X 
(c,dl))»)=cl<R>  (1  13  17) 

358  EDGESET({c|3a.opair(a,cX({b|3k.b=opair(k,pM(eeBk))}nCROSS({k|DENX 
UM({b|b((ee"k)Apair(pB(eeBk).bKR})},V))))cR.Vcl.((SET(cl)A3c  dl.((SEX 
T(c)A3a.(((SET(a)ASET(c))A3k.(e  .kAc-(pB(eeBk))))A((SET(a)ASET(c))A3d  % 
e.((a-dAc=e)A((NATNUM(d)ADENUM({b|b<(eeBd)Apair(p"(eeBd),bKR}))ASETO£ 
e))))))A((SET(d  1  )A3a.(((SET(a)ASET(d  1  ))A3k.(a-kAd  1  -(pB(ee"k»))A«SETX 
(a)ASET(d  1  ))A3d  e.((a-dAd  1  «e)A((NATNUM(d)ADENUM({b|b<(eeBd)Apair(p"(eX 
eBd),b)(R}))ASET(e))))))A(^c-d  1  )ac  1  -pair(c,d  1  )))))oc  1(R) 

359  EDGESET({c|3a.opair(a,cX({b|3k,b«opair(k,pB(eeBk))}nCR0SS({k|DENX 
UM({b|b((eeBk)Apair(pB(ee"k),b)(R})},V))})cR  (1  13  17) 

360  EDGESET({c|3a.opair(a,cX({b|3k.b-opair(k,p"(eeBk))}nCR0SS({k|DENX 
UM({b|b((eeMk)Apair(pB(eeBk>1bXR))},V))})cBvEOGESET({c|3a.opair(a,c)X 
C({b|3k.b-opair(k,pB(eeBk))}nCR0SS({k|DENUM({b|b((ee"k)Apair(pB(eeBk)K 
,b)<R})),V))})cR  (1  13  17) 

361  (EDGESET({c|3a.opair(a,cX({b|3k.b«=opair(k)pB(eeBk))}nCR0SS(IF  DEX 
NUM({k|DENUM({b|b«eeBk)Apair(pB(ee"k).bXR})})  THEN  {k|DENUM({b|b«(eX 


Appendix  2:  Ramsey's  Theorem. 


e"k)Apair(p"(ee"k),b)<R})}  ELSE  {khDENUM({b|b<(eeBk)Apair(pB(ee"k),bX 
XR})}.V))})cBvEDGESET({c|ja.opair(a,c)0({b|3k.b=opair(k,p"(ee"k))}nC5{ 

ROSSdF  DENUM({k|DENUM('b|b<(eeBk)Apair(pB(eeBk),bXR})})  THEN  {k|DENX 
UM({b|b<(ee"k)Apair(pB(ee"k),bXR})}  ELSE  {khDENUM({b|b((ee”k)Apair(X 
p"(ee,,k),b)<R})},V))})cR)E(EDGESET({c|3a.opair(a1cX({b|3k.b=opair(k1K 
pH(ee"k))}nCROSS({k|DENUM({b|b((ee"k)Apair(pM(ee"k),bXR})},V))})cBvEX 
DGESET({c|3a.opair(a,cX({b|3k.b=op3ir(k,pB(eeBk))}nCR0SS({k|DENUM({bK 
|b((ee”k)Apair(p,,(ee,,k),b)cR})},V))})cR)  (298) 

362  EDGESET({c|3a.opair(a,c)(({b|3k.b“Opair(k,p"(ee"k))}nCR0SS(IF  DENX 
UM({k|DENUM({b|b<(eeBk)Apair(p"<ee"k),b)<R})})  THEN  {k|DENlM{b|b«eeX 
Mk)Apair(p"(ee"k),bXR})}  ELSE  {kbDENUM({b|b((ee"k)Apair(pB(ee"k),b« 
<R})},V))})cBvEDGESET({cPa.opair(a,c)<({b|3k.b-opair(k1p"(ee"k))}nCfW 
OSS(IF  DENUM({k|DENUM({b|b<(ee"k)Apair(pB(eeBk),bXR})})  THEN  {k|DENU% 
M({b|b<(ee"k)Apair{p"(eeBk),b)<R})}  ELSE  {kK)ENUM({b|b<(ee,'k)Apair(pX 
"(ee"k),bXR})},V))})cR  (1  13  17  298) 

363  DENUM({k|DENUM({b|b<<eeBk)Apair(pB(eeBk),bXR})})3<EDGESET({c|3a.K 
opair(a,cX({b|3k.b“Opair(k,p"(ee"k))}nCR0SS(IF  DENUM({k|DENUM({b|b<(/( 
ee"k)Apair(p"(ee"k),b)(R})})  THEN  {k|DENUM({b|b((eeBk)Apair(p"(ee"k),X 

b) (R}))  ELSE  {k|-'DENUM({b|b<(ee“k)Apair(p''(ee,'k)>b)<R})},V))})cBvEOGEV 
SET({c|3a.opair(a,cX({b|3k.b=opair(k,p”(ee"k))}nCROSS(IF  DENUM({k|DEK 
NUM({b|b<(eeBk)Apair(p"(eeBk),bXR})})  THEN  {k|DENUM({b|b<(eeBk)Apair« 
(pB(ee”k),bXR})}  ELSE  {kbDENUM<{b|b((eeBk)Apair<pB<eeBk),bXR})},V))})cR)  (1  13  17) 

*****TRY  USING  ELIMINATION; 

Goal  •l«lttl*l*2*2«l*2»lttlttl*l8l:  (SET(c1)a3c  dl.((SET(c)A3a.(((SET(2" 
)ASET(c))A3k.(a-kAc-(pB(ee"k))))A((SET(a)ASET(c))A3d  e.((a«dAC«e)A((IW 
ATNUM(d)A-DENUM({b|b«ee"d)Apair(p"(ee“d),b)(R}))ASET(e))))))A((SET(d% 
l)A3a.(((SET(a)ASET(dl))A3k.(a=kAdl=(pB(eeBk))))A((SET(a)ASET(dl))A3d^ 
e.((a-dAdl-e)A((NATNUM(d)A-DENUM({b|bc(ee"d)Apair(p"(eeBd),b)<R}))ASX 
ET(e))))))A(-(c-d  1  )ac  1  *=pair(c,d  1  )))»=>c  1  <  B 
Goal  «l«lttl*l«2«2«l«2»l»l*l»lttlttl:  cl(B 

*****PREPARE; 

364  SET(c1)a3c  dl.((SET(c)A3a.(((SET(a)ASET(c))A3k.(a=kAc-(p“(eeHk))A 
)A((SET(a)ASET(c))A3d  e.((a=dAc=e)A((NATNUM(d)A-DENUM({b|b<(eeBd)Apai% 
r(p"(eeBd),bXR}))ASET(e))))))A((SET(d  1  )A3a.(((SET(a)ASET(d  1  ))A3k.(a-V 
kAdl-(pB(ee"k))))A((SET(a)ASET(dl))A3d  e.((a=dAd  1  -e)A((NATNUM(d)A->DENUM'i 
({b|b<(eeBd)Apair(pB(eeBd),bXR}))ASET(e))))))AHc=dl)Acl-pair(c,dl))))  (364) 

365  3c  dl.((SET(c)A3a.(((SET(a)ASET(c))A3k.(a-kAc-(pB(eeBk))))A((SETO( 
a)ASET(c))A3d  e.((a-dAc«e)A((NATNUM(d)A^DENUM({b|b<(ee"d>Apair(pB(eeB% 
d),bXR}))ASET(e)))»)A((SET(dl)A3a.(((SET(a)ASET(dl))A3k.(a-kAdl-(pB« 
(eeBk))))A((SET(a)ASET(dl))A3d  e.((a=dAdl=e)A((NATNUM(d)A-<DENUM({b|b<X 
(ee"d)Apair(pB(eeBd),bXR}))ASET(e))))))A(-.(c-dl)Acl-pair(c,d:))))  (364) 

366  SET(cl)  (364) 

♦****ES  TT  c  dl: 

367  (SET(c)A3a.(((SET(a)ASET(c))A3k.(a-kAc-(pB(ee"k))))AV(SET(a)ASET(X 

c) )A3d  e.((a»dAc-eM(NATI<JUM(d)A-'DENUM({b|b<(eeBd)Apair(pB(ee"d)1bXR5( 
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}))ASET(e))))))A((SET(d  1  )A3a.(«SET(a)A$ET(d  1  ))A3k.(a=kAd  1  =(p”(ee"k))K 
))A({SET(a)ASET(dl))A3d  e.((a=dAdl-e)A((NATNUM(d)A-DENUM({b|b<(eeBd)AK 
pair(p"(ee"d),b)<R}))AS£T(e))))))A(-(c“dl)Acl=pair(c,dl»)  (367) 

♦♦♦♦♦ADDFACTS  «*1<*1*1»1«*2»*2»1»2»1#1*1#1#1*1  ASSUME  T; 

Goal  cHB 

♦♦♦♦♦PREPARE; 

368  cl<=pair(c,dl)  (367) 

369  -(c-dl)  (367) 

370  3a.(((SET(a)ASET(d  1  ))A3k.(a=kAd  1  ■=(p"(ee"k))))A((SET(a)ASET(d  1  ))A3d  e.X 
((a-dAdl-e)A((NATNUM(d)A-.DENUM({b|bc(eeMd)Apair(p"(ee"d),b)<R}))ASET(e)))))  (367) 

371  SET(dl)  (367) 

372  3a.(((SET(a)ASET(c))A3k.(a-=kAc-(p"(ee"k))))A((SET(a)ASET(c))A3d  e.X 
((a«dAc«e)A((NATNUM(d)A-'DENUM({b|b<(ee’,d)Apair(p"(ee“d),bXR}))ASET(e))))>  (367) 

373  SET(c)  (367) 

374  c-dl*FALSE  (367) 

♦♦♦♦♦ES  TTTTT  a; 

375  ((SET(a)ASET(dl))A3k.(a=kAdl-=(p"(ee"k))))A((SET(a)ASET(dl))A3d  e.X 
((a“dAdl-e)A((NATNUM(d)A-DENUM({b|bc(ee,,d)Apair(p"(ee"d),bXR}))ASET(e))))  (375) 

♦♦♦♦♦ES  TTTT  al; 

376  ((SET(a  1  )ASET(c))A3k.(a  1  -kAc-(p”(eeMk))))A«SET(a  1  )ASET(c))A3d  e.X 
((al-dAc-e)A((NATNUM(d)A->OENUM({b|b<(ee"d)Apair(p"(ee"d),bXR}))ASET(e))))  (376) 

♦♦♦♦♦ADOFACTS  #1#1#1*1*2#2#1#2«*1#1#1<»1»»1#1  ASSUME  TT,T; 

Goal  ttlttl*l«ltt2tt2«l*2«lttl«l«l*l«l:  cl(B 

♦♦♦♦♦PREPARE; 

377  3d  e.((a-dAdl-e)A((NATNUM(d)A-DENUM({b|b((ee"d)Ap3ir(p"(ee"d),bXR}))ASET(e)))  (375) 

378  SET(dl)  (367) 

379  SET(a)  (364) 

380  3k.(a-kAdl-(p"(eeMk»)  (364) 

381  SET(dl)  (364) 

382  SET(a)  (364) 
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383  3d  e.((al-dAc-e)A((NATNUM{d)A-DENUM({b|b<(ee"d)Apair(p"(ee"d),b)<R}))ASET(e)))  (376) 

384  SET(c)  (367) 

385  SET(al)  (364) 

386  3K.(al-KAc-(pH(ee,,k)))  (364) 

387  SET(c)  (364) 

388  SET(al)  (364) 

****»ES  377  d  e; 

389  (a«dAdl -e)A((NATNUM(d)A-DENUM({bjb<(ee,,d)Apair(p"(ee,,d),bKR}))A$ET(e))  (389) 
**«**ES  383  d2  e2; 

390  (al-d2Ac-e2)A((NATNUM(d2)A-0ENUM((b|b<(ee',d2)Apair(p"(ee,,d2),bKR}))ASET(e2)K 
)  (390) 

**«**es  380  k; 

391  a-kAdl«(p"(ee,,k))  (391) 

****«es  386  j; 

392  al-jAc-(p"(ee"j))  (392) 

***»*aE  tT  2; 

393  dl-(p"(ee"k))  (391) 

*****/\E  TT  2; 

394  c-(p"(eeMj))  (392) 

*****TRY  USING  REWRITE  BY  {TT.T  368}; 

Goal  *1*1*1*1*2#2*1*2*1#1<«U1»*1<«1«1:  pair(p"(ee"j),p"(eeNk)KB 
*****TAUTEQ  d2-j  TTT.TTTTT; 

395  d2-j  (390  392) 

**«*TAUTEQ  d-k  TTTTT.TTTTTTT; 

396  d-k  (389  391) 

*****TAUT  3S9:»2*»  1  «*2  389; 

397  ->D£NUM<{b|b<(ee"d)Apair(p"(ee"d),b)<R})  (389) 
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♦♦♦♦♦TAUT  390:*2«1«2  390; 

398  MDENUM{b|b<(eeHd2)Apair(pWd2),b)<R})  (390) 

♦♦♦♦♦REWRITE  TT  BV  {TTTJ; 

2  substitutions  were  made 

399  'DENUM({b|b<(ee'‘k)Apair(p"(ee"k),b)<R})  (375  391) 

♦♦♦♦♦REWRITE  tt  BY  {TTTTT}; 

2  substitutions  were  made 

400  -DENUM({b|bc(eeMj)Apair(p"(ee"j)lb)cR})  (376  392) 

♦♦♦♦♦ASSUME  k«j; 

401  k-j  (401) 

♦♦♦♦♦REWRITE  391  BY  {T}; 

2  substitutions  were  made 

402  a-jAdl-(p"(ee"j))  (391  401) 

♦♦♦♦♦TAUTEQ  FALSE  369  392  T; 

403  FALSE  (367  391  392  401) 

♦♦♦♦*-1  T  401; 

404  -<k-j)  (367  391  392) 

♦♦♦♦♦REWRITE  T  BY  {LESS2}; 

1  substitutions  were  made 

405  k  LT  jvj  LT  k  (367  391  392) 

♦♦♦♦♦TAUTEQ  352:*2<B  350:352  399  400  t; 

406  pair(p"(ee"j),p"(ee"k)X8  (1  13  17  367  375  376  391  392) 

♦♦♦♦♦QEO; 

407  cl<B»pair(p“(ee"j)1p"(ee"k)XB  (367  391  392) 

408  cl(B  (1  13  17  364) 

409  (SET(c1)a3c  dl.((SET(c)A3a.(((SET(a)ASET(c))A3k.(a-kAc-(p"(ee"k)« 
))A((SET(a)ASET(c))A3d  e.((a-dAc-e)A((NATNUM(d)A-OENUM({b|b<(ee"d)ApaK 
ir(p"(ee’,d).b)<R}))ASET(e))))))A((SET(dl)A3a.(((SET(a)ASET(dl))A3k.(aK 
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-kAd  1  *=(p"(ee"k)))M(SET(a)A$ET<d  1  ))A3d  e.((a=dAd  1  *=e  )a(( NATNUM(d  )a-DENUM(  {bK 
|b<{ee"d)Apair(p"(ee"d),b)<R}))ASET(e))))))A(^c«dl)Acl»pair(c,dl)))))3cl(B  (1  13  17) 

410  Vc1.«SET(c1)a3c  dl.((SET(c)A3a.(((SET(a)ASET(c))A3Ma-kAc-(pH(e% 
e"k))))A((SET(a)ASET(c))A3d  e.«a-dAc-e)A((NATNUM(d)A-DENUM({b|b<(ee,1i 

d)Apair(p"(eeBd)(b)(R}))ASET(e))))))A((SET(dl)A3a.(«SET{a)ASET<dl))AX 

3k.(a-kAd  1  -(p"(ee"k)»)A{(SET(a)ASET(d  1  ))A3d  e.((a-d Ad  l  -eM(NATNUM(d* 
)A-'DENUM{{b|b<(ee”d)Apair(p"(ee”d),bKR}))ASET(e))))))AWc“dl)Acl-paX 
ir(c,dl)))))3cl<B)  (1  13  17) 

411  £DGESET({c|3a.opair(a1c)<({b|3k.b=opair(k,p"(eeBk))}nCR0SS({k|-'DE)£ 
NUM({b|b<(ee"k)Apair(p"(ee"k),b)cR})}lV))})cBsVcl.((SET(cl)A3c  dl.«SX 
ET(c)A3a.(((SET(a)ASET(c))A3k.(a-kAc-(p"(ee”k))))A((SET(a)ASET(c))A3dX 
e.({a-dAc-=e)A((NATNUM{d)A-DENUM<{b|b((ee"d)Apair(p-(ee"d),bKR}))ASE% 
T(e)))))W(SET(d  1  )A3a.(((SET(a)A$ET(d  1  ))A3k.(a-kAd  1  -(p“(ee“k)))W(SX 
ET(a)ASET(dl))A3d  e.((a«dAdl-eM<NATNUM<d)A-DENUM({b|b<(eeBd)Apair(p% 
"(eeHd),bKR}))ASET(e))))))AKc-dl)Acl-pair{c.dl))))>3cl(B) 

412  £DGESET({c|3a.opair(a,cH([b|3k.b-opair(k,p"(ee“k))}nCR0SS({k|-DE*<( 
NUM<{b|b((ee"k)Apair(p"(ee"k),b)<R})},V))})cB  (1  13  17) 

413  EDGESET({c|3a.opair(a,c)<({b|3k.b-opair(k,pB(eeBk))}nCR0SS({kHDEX 
NUM({b|b<(ee"k)Ap3ir(pB(eeBk),b)<R})},V))})cBvEDGESET({c|3a.opair(a(ci£ 
K({b|3k.b«opair{k,pM(ee"k))}nCR0SS({k|-D£NUM({b|b<(ee"k)Apair{p"(ee"% 
k),b)<R})},V))})cR  (1  13  17) 

414  (EDGESET({c|3a.opair(a,c)<{{b|3k.b-=opair{k,p”(ee“k))}nCR0SS(IF  DEX 
NUM({k|DENUM((b|b<(eeBk)Apair(pB(ee"k)1b)<R})})  THEN  {k|DENUM{ {b|b<{e*X 
e”k)Apair(p"(ee”k),b)(R})}  ELSE  {kbDENUM({b|b<(eeBk)Apair(pB(ee"k),bX 
)<R})}1V))})eBvEDGESET({c|3a.opair<a,cX({b|3k.b-opair(k,pB(eeBk))}ftCX 
ROSSdF  DENUM({k|DENUM<{b|b((ee"k)Apair(p"(ee"k).b)<R})5)  THEN  (k|DENX 
UM({b|b((ee”k)Apair(p"(ee"k),b)(R})}  ELSE  {khDENUM({b|b<{eeBk)Apair(X 
p"<ee"k),b)<R})},V))})cR)*(EDGESET({c|3a.opair(a1cX(ibpk.b»opair(k,,X 
p"(ee"k))}nCROSS({k|-D£NUM({b|b<(ee"k)Apair(pH(ee"k),bXR})},V))})cBvX 
EDGESET({c|3a.opair<a,c)<({b|3k.b-opair(kIpB(eeBk))}nCR0SS({k|'DENUM(X 
{b|b<(ee"k)Apair(pM(ee"k)1b)<R})},V))})cR)  (299) 

415  EDGESET({c|3a.opair(a,cK({b|3k,b-opair(k,p’,(ee"k))}nCROSS(IF  DENX 
UM({k|DENUM({b|b((ee"k)Apair(p"(ee"k),bXR})I')  THEN  {k|DENUM({b[b((eeX 
"k)Apair(pH(ee“k),bXR})}  ELSE  {k|-DENUM((bib((ee',k)Apair(p-(ee"k),b« 
<R})}1V))})cBvEDGESET(!c|3a.opair(a1c)<(,1b|3k.b-opair(k,p’’(ee"k))}nCRX 
OSSdF  DENUM({k(OENUM({b|b<(ee"k)Apair(p"(ee"k),b)<R})})  THEN  {kjDENUX 
M({b|b«ee"k)Apair(p”(ee"k).b)<R})}  ELSE  {k|-OENUM({bIb((eeHk)Apair(p% 
"(ee"k),bXR})},V))})cR  (1  13  17  299) 

416  -DENUM({k|DENUM({b|b<(ee"k)Apair(p"(ee"k),b)<R})})3(EDGESET({c|3aX 
.opair(a,cX({b|3k.b-opair(k,p"(ce"K))}r.CROSS(IF  DENUM({k|DENlM{b|b<X 
(ee"k)Apair(p"(ee"k).b)(R})})  THEN  'k|DENUM<{b|b<(ee"k)Apair(p''(eeBk)X 
,b)<R})}  ELSE  {k|-'DENUM({b|b<(ee“k)Apair(p"(ee"k),b)<R})},V))})cBvEDGX 
E$ET({c|3a.opair(a,cX({b|3k.b«opair(k,pB(ee“k))}nCR0SS(IF  DENUM({k|DX 
ENUM({b|b<(ee"k)Apair(p"(ee“k),b)(R})5)  THEN  {k|DENUM({b|b«eeBk)ApairX 
(p"(ee"k).bXR})}  ELSE  {K|-OENUM({b|bc(eeHk)Apair(p"(ee"k)IbXR})},V))})cR)  <1  13  17) 

417  EDGESET({c|3a.opair(a,cX({b|3k.b»opair(k,p"(ee''k))}nCR0SSdF  DENX 
UM({k|OENUNK{b|b((ee"k)Apair(p"(ee“k),b)<R})})  THEN  {k|DENUM({b|b<(eeX 
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"k)Apair(p"(ee"k),bXR})}  ELSE  {k|-DENUM({b|b<<ee"k)Apair(p"(ee"k),b)X 
<R})}.V))})cBvEDGESET({c|3a.opair(a,cX({bj3k.b-opair<k,p''(eeHk))}nCRX 
OSSflF  DENUKA{k|DENUKA{b|bc(eeBk)Apair<p"(ee"k),bKR})})  THEN  (k|DENUX 
M({b|b((ee"k)Apair(p"{ee,,k),b)<R})}  ELSE  {khDENUM<{b|b«ee’,k)Apair(pX 
"(ee"k),bXR})},V))})cR  (1  13  17) 

418  (EDGESET<RNG'!b|3k.b-opair(k,p"(ee"k))}  1  IF  DENlM{k|DENUM({b|b<X 
(ee"k)Apair(p”(ee”k>,bKR})})  THEN  {k|DENlM{b|b<(ee*k)Apair(p"(ee"kW 
,b)< R})}  ELSE  {khDENUM({b|b<(eeBk)Apair(p“(eeHk).b)<R})}))cBvEDGESETX 
<RNG<{b|3k.b«opair(k,p"(ee“k)>}  |  IF  DENUM({k|DENL)M({b|b<(ee"k>Apair{X 
p"(ee"k).bXR})})  THEN  {k|OENUM{{b|b<{ee"k)Apair(p-<eeHk),bXR})}  ELSX 

E  {k|-DENUK/K{b|b<(ee"k)Apair(p"(ee“k),bXR})}))cR)s<EDGESET({c|3a.opaX 
ir(a,cX({b|3k.b-opair(k,p"(eeNk))}nCROSS(IF  DENUM{{k|DENUM({b|b<(ee"X 
k)Apair(p"(ee"k),bXP})})  THEN  {k|DENUM<{b|b<(ee"k)Apair<pH(eeHk),bXX 
R})}  ELSE  {k|-DENUM({b|b<(ee"k)Apair(p"{eenk),bXR})},V))})eBvEDGESETX 
({c|3a.opair(a,c)<({b|jf,b^opair(k>p"(ee”k»}nCROSS(IF  DENUM({k|DENUMX 
({b|b<(ee"k)Apair(p*(ee“k),bXR})})  THEN  {k|D£NUW({b!b<(ee"k)Apair(p,,X 
<ee"k),bKR})}  ELSE  {k|-OENUM({b|b<{ee"k)Apair(p"(ee‘,k)(bXR})}1V))})cR) 

419  EOGESET(RNG({b|3k.b-opair(k,p"(ee"k))}  |  IF  OENUM({k|DENUM({b|b<(X 
ee"k)Apair(p*(ee"k)tb)<R})})  THEN  {k|DENUM({b|b<{ee"k)Apair(p-(ee"k),X 
bXR})}  ELSE  {k|-DENUM{{b|b<(ee"k)Apair{p"{ee"k),b)<R})}))cBvEDGESET(X 
RNG({b|3k.b«opair(k,p"(ee"k))}  |  IF  DENUM({k|DENUM<{b|b<(ee"k)Apair(pX 
"(ee"k),bXR))})  THEN  {k|DENUM{{b|bc{ee"k)Apair{p“(ee"k).bXR})}  ELSEX 

{khDENUM<}b|b((ee“k)Apair(p“(ee"k),bXR})}))cR  (1  13  17) 

420  DENUW(RNG({b|3k.b-opair(klp"(ee“k))}  |  IF  OENUW({k|DENUM({b|b((eeX 
“k)Apair(p-(ee"k).bXR})})  THEN  {k|DENUM<{b|b<(ee"k)Apair<p"<ee"k),b)X 
<R})}  ELSE  {k|-DENlM{b|b<(ee"k)Apair(p"(eeHk),bXR})}))A{EDGES£T(RNGX 
({b|3k.b-opair(k,p"(ee"k))}  |  IF  DENUM{{k|DENUM<{b|b«ee"k)Apair<p"(eX 
e"k).bXR})})  THEN  {k|DENLM{b|bC(ee“k)Apair(p"<ee"k),b)<R})}  ELSE  {kX 
|-OENUM({b|bc(ee’k)Apair(pH(ee"k)1bXR)')}))cBvEDGESET(RNG({b|3k.b-opaX 
ir(k,p”(ee"k))}  |  IF  DENUM({k|DENUM({b|b<(ee"k)Apair(p"(ee"k),bXR}>}X 

)  THEN  {k|DENUM({b|b<(ee"k)Apair(p“{ee"k)IbXR})}  ELSE  {k|-DENUM({b|bX 
<(eeHk)Apair(p"(ee"k),b)<R})}))cR)  (1  13  17) 

421  RNG({b|3k.b-opair(k,p"(ee“k))}  |  IF  DENlM{k|OENUM({b|b<(ee"k)ApaX 
ir(p"(ee"k),b)<R})})  THEN  {k|DENUM([b|b((ee"k)Apair(p"(ee"k),bXR}))  X 
ELSE  {kHDENUM({b|b((ee"k)Ap3ir(p“(ee*,k),bXR})})cGA(DENUM(RNG({b|3k.X 
b»opair(k,p"(ee"k))}  |  IF  DENUM({k|DENUM({b|b<(ee"k)Apair(p"<ee"k),bW 
<R})}>  THEN  {k|DENUM{{b|b((ee*k)Apair(p*(ee"k),bXR})}  ELSE  }k|->DENUMX 
({b|b<(ee"k)Apair(p"(ee’’k)1bXR})}))A{E0GESET(RNG{{b|3k.b"0pair(k,p"(X 
ee“k))}  |  IF  DENUM({k|DENUM({b|b((ee"k)Apair(p"(ee"k)1bXR})}>  THEN  {X 
k|OENUM({b|bc(ee"k)Apair(p"(ee"k),bXR})}  ELSE  {khDENUM({b|b<(ee"k)A% 
pair(p"(ee"k),bXR})}))cBvEDGESET(RNG<{b|3k.b«opair(k1p"<ee"k)>}  |  IFX 
DENUM({k|DENUM({b|b({ee"k)Apair{p"{ee"k),bXR})})  THEN  {k|DENUM({b|bX 
<(ee"k)Apair(p"(ee"k),bXR})}  ELSE  {khDENUM<{b|b({ee"k)Apair(p"(ee"kX 
),bXR))})X=R))  (1  13  17) 

422  3a.(acGA(DENUM(a)A(EDGESET(a)cBvE0GESET{aX:R)))  (1) 

423  (DENUM(G)A(E0GESET<G)-(RuB)A(RnB)-X))33a.(acGA(DENUM(a)A{EDGESET(X 
a)cBvEDGESET(a)cR))) 

424  VG  R  B.((DENUM<G)A(EDGESET(G)-(RuB)A(RnB)-X))33a.(acGA(DENUM(a)A(X 
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EDGE$ET(a)c8vEDGE$ET(a)cR}))) 


8.5.  Statistics  of  the  proof. 

For  the  proof  shown  in  the  last  section,  the  user  typed  309  commands.  Of  these,  1 99  were 
forward  FOL  commands.  1 10  were  GOAL  commands  properly,  Including  14  commands  for  goal 
creation,  6  for  addition  of  facts,  and  72  calls  to  TRY. 

The  complete  statistics  are  shown  next. 


Goal  commands) 

GOAL  1 4 

ADDFACTS  6 

QED  6 

PREPARE  14 

TRY  72 


TOTAL  1 1 0 


Detail  of  TRY) 

VI  3 

=  1  2 

aI  3 

REWRITE  21 

MONADIC  9 

31  3 

ELIMINATION  12 

LOGIC  3 

TAUT  4 

TAUTEQ  3 

IMPLICATION  2 

INDUCTION  2 

UNIFY  1 

EQUNIFY  1 

IFCASES  1 

vl  2 


Appendix  2:  Ramsey'*  Theorem. 


164 


Summary  of  FOL  commands: 


LABEL  21 

REWRITE  36 

MONADIC  10 

RESOLVE  4 

VE  46 

VI  8 

3E  23 

31  1 

TAUT  20 

TAUTEQ  12 

SIMPLIFY  2 

EVAL  6 

aE  3 

SUBSTR  3 

DED  2 

ASSUME  2 

-I  2 


TOTAL 


199 


8.6.  Conclusion. 


Summing  up  the  statistics  just  shown  with  the  44  commands  used  in  the  proof  of  the 
auxiliary  lemmas,  we  can  conclude  that  the  old  proof  required  roughly  twice  as  many  user 
commands  as  this  one. 

This  is  not  as  great  a  gain  as  we  had  hoped  for,  in  terms  of  just  the  number  of  commands. 
However,  there  are  other  gains:  the  proof  of  Ramsey's  theorem  is  very  complex,  and  the 
ability  to  work  on  several  goal  trees  seems  to  make  it  much  easier  to  construct  the  proof.  At 
least  this  is  true  in  my  own  experience. 

Ramsey's  does  not  seem  to  be  the  kind  of  theorem  where  the  reduction  in  the  number  of 
commands  is  largest.  In  the  auxiliary  theorems  proved  earlier,  the  reduction  was  by  a  factor  of 
four.  Those  theorems  are  of  medium  size:  their  FOL  proofs  were  between  10  and  60  lines 
each.  It  probably  is  for  small  and  medium  size  theorems  where  the  greatest  reduction  in  the 
number  of  user  commands  can  be  achieved  by  GOAL.  At  the  same  time,  It  Is  probably  for  the 
more  complex  theorems  like  Ramsey's  that  the  advantage  of  GOAL  as  an  aid  for  structured, 
top  down  proof  construction  is  more  likely  to  be  felt. 
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